Kroll Fraud Solutions Blog – A Dialogue on Data Security

The Canadian Parliament is again considering a requirement for organizations in Canada to notify individuals and the Office of the Privacy Commissioner of Canada in the event of a data breach. Under proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations would be required to notify the Commissioner when there is a “material breach.” The bill does not define this term, but states that relevant factors for consideration of whether a breach is material include:

• The sensitivity of the breached personal data;
• The number of individuals affected by the breach; and

In December, the much anticipated draft of recommended reforms to the EU Data Protection Directive was released into inter-service consultation. The draft came in the form of two documents outlining recommendations for proposed regulations, one covering government entities and the other covering private businesses.

The proposed regulations for private business would repeal the EU Data Protection Directive and lay out requirements for the protection of personal information via the regulation. By using a regulation to mandate data protection standards, the EU avoids each nation having to enact its own law to put the standards into effect. This eliminates the variation that can occur from nation to nation and has caused headaches for multi-national companies under the existing directive.

While state data breach notice laws have been around for several years now, publicly traded companies are facing a new dimension to their cyber security obligations. Recent Securities and Exchange Commission (SEC) guidance specifically calls out cyber security risks and requires publicly traded companies to consider the risk of cyber incidents under their existing disclosure obligations. The guidance is not a binding regulation, but will likely be the standard by which the SEC and certainly plaintiff’s lawyers measure a company’s compliance.

It’s the start of a New Year, and time for Kroll to ask the perennial questions– what are your data security resolutions? Any plans to evaluate your security position? Put resources to risk management? Perhaps, like many organizations, you’re waiting to see how the compliance landscape shapes up for the coming year?

If you’ve got the last one in mind, you’re in luck. We’re devoting January to a run down on some recent developments, proposals, and guidance that have been issued here and abroad. When we released our 2012 cyber security trends list in December, we specifically mentioned the fact that we believe breach notification laws will be gaining traction globally, even if a federal law stalls here in the U.S.

There’s a new report out by Cisco that sheds light on the increasing importance of connectivity in an already highly connected world, and also raises some disturbing security questions for business and consumers alike. The 2011 Cisco Connected World Technology Report reveals the internet as an integral part of respondents’ lives, ranking right up there with such basic needs as food and shelter.

To get a proper perspective on the ramifications of this study, it’s important to know the demographic of respondents to the online survey – half (1,441) were college students ages 18-24, while the other half (1,412) were end users who met certain criteria: all were college graduates or higher, employed full-time in a non-IT role in an organization with at least 10 or more employees worldwide. Market research and non-profit organizations were excluded.