application insurance lead life request term
 
Insurance Travel Information





Privacy and Security Law Blog

  • FTC "Reminder" About ID Theft Red Flag Compliance

    Our recent Advisory Bulletin recounts how the FTC recently issued issued a gentle reminder that companies should be well along in getting their Identity Theft Red Flag programs in place in anticipation of the November  2008 compliance deadline.  The FTC's notice announced that it also has launched an outreach effort to explain the rules, which included publication of a very general alert on what the rules require and what types of businesses must comply.

    The Identity Theft Red Flag Rules were jointly adopted last year by the FTC and five other federal agencies (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration) pursuant to the Fair and Accurate Credit Transaction Act of 2003. Under the rules, financial institutions and “creditors” with “covered accounts” must have identity theft prevention programs in place and operating by November 1, 2008. The programs must identify, detect and respond to patterns, practices or specific activities that could indicate an account holder has been the victim of — or is engaged in — identity theft.

    As explained in the DWT advisory, all types of financial institutions and most electronic service providers (including video, Internet and voice service providers) will have “covered accounts” governed by these new rules and therefore must have designed, implemented and begun operating an internal system to detect and combat identity theft no later than November 1, 2008. The advisory provides the relevant definitions and other triggering terms in the rules, and an overview of what they require.
  • Malware Cited as the Cause of Massive Supermarket Data Breach

    By Hozaifa Cassubhai

    A massive data breach at an East coast supermarket chain compromised up to 4.2 million credit and debit cards earlier in March, leading to 1,800 cases of fraud arising as far away as Mexico, Italy and Bulgaria.  Recently, the Hannaford Bros. grocery chain announced the cause of that breach:  unauthorized software secretly installed on servers that intercepted data from customers as they paid with plastic at checkout counters.

    While the precise source of the malicious software remains under investigation, the Scarborough, Maine-based grocer confirmed that Massachusetts regulators had been informed of the link between the breach and the malware, which polluted nearly all of the company’s 271 stores’ servers.  The U.S. Secret Service has confirmed that it is helping investigate the crime, although the scope of its involvement is unclear.

    The Hannaford breach is unique to the extent that credit card numbers were stolen while the information was in transit, or at the point of sale.  This represents a new more sophisticated line of attack, exposing the vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research.

    The method contrasts with the usual mode of attack, which targets data sitting in databases, as was the ca se in the record-setting theft of information from Massachusetts-based TJX Cos in 2005 and 2006.  That breach compromised 45.7 million accounts of customers of T.J. Maxx and Marshalls stores and now forms the basis of a pending federal consumer lawsuit in Boston.

    Hannaford states that its breach occurred between Dec. 7, 2007 and March 10, 2008, but notes that while the breach was ongoing, the company was found to be in compliance with the relevant industry security standards.  “We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement on March 17.  “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.”

  • Corporate Finance Law Blog
  • Technology, eBusiness & Digital Media Blog
  • Some State Data Encryption Requirements More Effective than Others

    Posted by Randy Gainer

    State and federal laws encourage businesses to encrypt consumers’ computerized personal information. Most state data breach notice laws do not require businesses to notify their customers when customers’ digital personal information has been stolen or lost if the information was encrypted. The Federal Trade Commission encourages but does not mandate that consumers’ personal data be encrypted. See Protecting Personal Information, A Guide for Businesses

    Nevada enacted a statute that goes further and affirmatively requires businesses to encrypt certain consumer data. Washington and Michigan are currently considering legislation that would also require consumer data to be encrypted. The Nevada statute and the pending Washington and Michigan bills contain different encryption requirements. Of the various measures, the proposed Michigan bill and the Washington Senate bill would most effectively protect consumer data if they are enacted.

    The Nevada statute, NRS 597.970 (effective October 1, 2008), requires each business in Nevada to encrypt customers’ personal information when it is transmitted outside the business’ secure network. See Charlene Brownlee, “Nevada passes first law requiring business to encrypt customer personal information during transmission” (October 19, 2007). The Nevada statute does not require businesses to encrypt consumers’ personal information while it is being stored on the businesses’ servers, laptops, or backup tapes.   It’s much more likely, however, that thieves will steal and business will lose large amounts of stored consumer data than it is that data in transit will be stolen or lost. For that reason, the overwhelming majority of reports of stolen and lost consumer data relate to stored data, not data in transit.  See, e.g., Chronology of Data Breaches.  The limited, data-in-transit, encryption mandate in the Nevada statute will therefore do little to stem the tide of stolen and lost consumer data.

    Unlike the Nevada statute, Michigan Senate Bill No. 1022 would require businesses to encrypt stored consumer data. The Michigan bill would, among other things, amend the state’s “Identity Theft Protection Act,” MCL 445.71-.72, by prohibiting the following conduct:

    (e) If the person collects personal identifying information in the regular course of business and stores that information in a computerized database, failing or neglecting to store that information in the database in an encrypted form, in conformity with current industry-standard encryption methods and capabilities.

    This prohibition would make it unlawful to fail to encrypt consumers’ personal information stored in digital form and to fail to use “industry-standard encryption methods and capabilities.” The latter prohibition should prevent businesses from deploying out-of-date encryption programs and from using deficient encryption procedures. It is important that businesses be required not only to encrypt stored data but to do so competently. See, e.g., Mike C


Else Useful links


  • supplemental drug insurance plan
  • travel insurance expedia
  • churchill insurance insurance online travel
  • indiana lumbermens mutual insurance
  • amica life insurance
  • travelers automobile insurance
  • adjuster brogan insurance michael
  • company insurance only travel uk
  • affordable city health insurance kansas
  • travel insurance 65
  • agent florida home insurance owner
  • traveler insurance currier and ives calendar
  • career in life insurance
  • traveler lloyds of texas insurance company
  • health insurance for a single person
  • specialty insurance program
  • travel insurance broker uk
  • travel insurance holiday uk
  • house insurance motor travel uk
  • travellers homeowners insurance
  • arthur gallagher insurance j
  • pemco insurance company
  • cancer insurance sell supplemental
  • benefit employee fedex insurance
  • stpaul traveler insurance
  • pensioners travel insurance
  • annual multi trip travel insurance us
  • insurance company best practice
  • hampshire insurance life manchester new
  • insurance online quote travel uk
  • auto cedar falls insurance
  • travel insurance for british
  • turkmenistan travel insurance
  • health insurance for travellers
  • cheapest family travel insurance
  • holiday insurance travel wide world
  • care company health insurance rating
  • go travel insurance uk
  • travel insurance from uk to usa
  • co op travel insurance
  • credit card travel insurance
  • atlas direct annual travel insurance
  • comprehensive major medical insurance
  • cheap company insurance travel uk
  • worldwide annual travel insurance
  • travel insurance for over 80 years old
  • club direct travel insurance
  • ny marine insurance
  • travel insurance surfing
  • insurance specialty us
  • travel insurance quotes

    • Archives

    Copyright c 2007 http://www.InsuranceTravelInformation.com/