As we await the 60-day federal cybersecurity review from Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils , there is something else that could be done. It seems to me that the federal government could take another related action to help protect the private information of U.S. citizens while reducing the cost of doing so. In my humble opinion, it is time to create a single federal data breach disclosure law. I believe this action would:
Simplify the maze of current state legislation. As of the end of December, 44 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted security breach notification legislation. While most of these laws are modeled on the original California legislation (SB-1386) that took effect in 2003, there are subtle differences in terms of deadlines for notifications, definitions, and civil penalties. Massachusetts and Nevada have gone the furthest so far by mandating that private data be encrypted in certain circumstances. Obviously, this creates a legislative mess that could be streamlined by one central federal regulation.
Protect the unprotected. In the six years since California started the trend toward data breach notification legislation, Alabama, Kentucky, Mississippi, New Mexico, and South Dakota have no such laws in place or have laws that haven't taken effect. I'm not sure why this is but citizens in these states deserve the same type of protection we others have.
Extend the definition of private data into other areas. Aside from state data notification laws, many large organizations must still comply with the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, etc. There must be a way to broaden the definition of private data and consolidate private data security and breach notification legislation like the European Union has. The cost of compliance could go down precipitously if organizations were not obligated to perform the same basic tasks and audits numerous times.
If we are truly looking for ways to improve electronic data security and reduce cost and overhead, this seems like a good plan to me. I know my argument is simple and I'd be glad to learn more as to whether this logic makes sense. Please let me know if my instincts are correct or whether I've missed some important issues.
Along with the vulnerabilities that Microsoft patched Tuesday, the software giant's customers have a new problem to grapple with: a fake notification e-mail that looks remarkably legitimate.
Attackers are apparently taking advantage of Microsoft's Patch Tuesday to send legitimate-looking e-mails that include a Trojan virus. Trojan.Backdoor.Haxdoor allows attackers to execute files and steal information from compromised computers. The fake mailing includes a legitimate-looking PGP signature, as well as purporting to come from a real Microsoft employee.
Christopher Budd, a security program manager in the Microsoft Security Response Center, offers this perspective on the e-mails in a security posting:
We received some questions from customers about an e-mail that's circulating that claims to be a security e-mail from Microsoft. The e-mail comes with an attached executable, which it claims is the latest security update, and encourages the recipient to run the attached executable so they can be safe. While malicious e-mails posing as Microsoft security notifications with attached malware aren't new (we've seen this problem for several years) this particular one is a bit different in that it claims to be signed by our own Steve Lipner and has what appears to be a PGP signature block attached to it. While those are clever attempts to increase the credibility of the mail, I can tell you categorically that this is not a legitimate e-mail: it is a piece of malicious spam and the attachment is malware. Specifically, it contains Backdoor:Win32/Haxdoor."
Dancho Danchev at ZDNet's Zero Day ponders whether the timing of this malware campaign will affect its success rate.
"Compared to the recent targeted malware attack against U.S schools, and the massive fake CNN news items campaign taking advantage of client-side vulnerabilities, this one is definitely going to have a lower success rate--no matter the timing," Danchev writes.
Microsoft's October 2008 security bulletin included four critical bulletins concerning Windows, Internet Explorer, Microsoft Host Integration Server, and Microsoft Excel.
- prev
- 1
- next
