Data Breach Notification Laws: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors

445 pages

English

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Data Breach Notification Laws: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors , livre ebook

Emereo Publishing - Kevin Roebuck

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

445 pages

English

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

The first such law, the California data security breach notification law, Cal. Civ. Code 1798.82 and 1798.29, was enacted in 2002 and became effective on July 1, 2003. As related in the bill statement, law requires ""a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."" In addition the law permits delayed notification ""if a law enforcement agency determines that it would impede a criminal investigation."" The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach in the security of the data.

In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing.

The European Union implemented a breach notification law in the Directive on Privacy and Electronic Communications (E-Privacy Directive) in 2009. This directive has to implemented by national law until 25 May 2011.

This book is your ultimate resource for Data Breach Notification Laws. Here you will find the most up-to-date information, analysis, background and everything you need to know.

In easy to read chapters, with extensive references and links to get you to know all there is to know about Data Breach Notification Laws right away, covering: Security breach notification laws, Directive on Privacy and Electronic Communications, Personally identifiable information, Computer security, Portal:Computer security, 2009 Sidekick data loss, AAFID, Absolute Manage, Accelops, Acceptable use policy, Access token, Advanced Persistent Threat, Air gap (networking), Ambient authority, Anomaly-based intrusion detection system, Application firewall, Application security, Asset (computer security), Attack (computer), AutoRun, Blacklist (computing), Blue Cube Security, BlueHat, Centurion guard, Client honeypot, Cloud computing security, Collaboration-oriented architecture, Committee on National Security Systems, Computer Law and Security Report, Computer security compromised by hardware failure, Computer security incident management, Computer security model, Computer surveillance, Confused deputy problem, Consensus audit guidelines, Countermeasure (computer), CPU modes, Cracking of wireless networks, Crackme, Cross-site printing, CryptoRights Foundation, CVSS, Control system security, Cyber security standards, Cyber spying, Cyber Storm Exercise, Cyber Storm II, Cyberconfidence, Cyberheist, Dancing pigs, Data breach, Data loss prevention software, Data validation, Digital self-defense, Dolev-Yao model, DREAD: Risk assessment model, Dynamic SSL, Economics of security, Enterprise information security architecture, Entrust, Evasion (network security), Event data, Event Management Processes, as defined by IT IL, Federal Desktop Core Configuration, Federal Information Security Management Act of 2002, Flaw hypothesis methodology, Footprinting, Forward anonymity, Four Horsemen of the Infocalypse, Fragmented distribution attack, Higgins project, High Assurance Guard, Host Based Security System, Host Proof Storage...and much more

This book explains in-depth the real drivers and workings of Data Breach Notification Laws. It reduces the risk of your technology, time and resources investment decisions by enabling you to compare your understanding of Data Breach Notification Laws with the objectivity of experienced professionals.

Sujets

Computers

Informatique

General officer

General

Informations

Publié par	Emereo Publishing
Date de parution	24 octobre 2012
Nombre de lectures	0
EAN13	9781743332917
Langue	English
Poids de l'ouvrage	16 Mo

Informations légales : prix de location à la page 0,1598€. Cette information est donnée uniquement à titre indicatif conformément à la législation en vigueur.

Extrait

Topîc relevant selected content rom tHe HîgHest rated entrîes, typeset, prînted and sHîpped.

Combîne tHe advantages o up-to-date and în-deptH knowledge wîtH tHe convenîence o prînted books.

A portîon o tHe proceeds o eacH book wîll be donated to tHe Wîkîmedîa Foundatîon to support tHeîr mîssîon: to empower and engage people around tHe world to collect and de-velop educatîonal content under a ree lîcense or în tHe publîc domaîn, and to dîssemînate ît efectîvely and globally.

he content wîtHîn tHîs book was generated collaboratîvely by volunteers. Please be ad-vîsed tHat notHîng ound Here Has necessarîly been revîewed by people wîtH tHe expertîse requîred to provîde you wîtH complete, accurate or relîable înormatîon. Some înorma-tîon în tHîs book maybe mîsleadîng or sîmply wrong. he publîsHer does not guarantee tHe valîdîty o tHe înormatîon ound Here. I you need specîic advîce (or example, medîcal, legal, inancîal, or rîsk management) please seek a proessîonal wHo îs lîcensed or knowl-edgeable în tHat area.

Sources, lîcenses and contrîbutors o tHe artîcles and îmages are lîsted în tHe sectîon entî-tled “Reerences”. Parts o tHe books may be lîcensed under tHe GNU Free Documentatîon Lîcense. A copy o tHîs lîcense îs încluded în tHe sectîon entîtled “GNU Free Documenta-tîon Lîcense”

All used tHîrd-party trademarks belong to tHeîr respectîve owners.

Contents

Articles Security breach notification laws Directive on Privacy and Electronic Communications Personally identifiable information Computer security Portal:Computer security 2009 Sidekick data loss AAFID Absolute Manage Accelops Acceptable use policy

Access token Advanced Persistent Threat Air gap (networking) Ambient authority Anomaly-based intrusion detection system Application firewall Application security Asset (computer security) Attack (computer) AutoRun Blacklist (computing) Blue Cube Security BlueHat

Centurion guard Client honeypot Cloud computing security Collaboration-oriented architecture Committee on National Security Systems Computer Law and Security Report Computer security compromised by hardware failure Computer security incident management Computer security model Computer surveillance Confused deputy problem

1 2 5 10 18 21 22 23 26 28 31 33 34 35 36 37 43 47 48 51 66 67 68 69 69 74 77 79 81 82 95 100 101 105

Consensus audit guidelines Countermeasure (computer) CPU modes Cracking of wireless networks Crackme Cross-site printing CryptoRights Foundation CVSS Control system security Cyber security standards Cyber spying Cyber Storm Exercise Cyber Storm II Cyberconfidence Cyberheist Dancing pigs Data breach Data loss prevention software Data validation Digital self-defense Dolev-Yao model DREAD: Risk assessment model Dynamic SSL Economics of security Enterprise information security architecture Entrust Evasion (network security) Event data Event Management Processes, as defined by IT IL

Federal Desktop Core Configuration Federal Information Security Management Act of 2002 Flaw hypothesis methodology Footprinting Forward anonymity Four Horsemen of the Infocalypse Fragmented distribution attack Higgins project High Assurance Guard

107 109 110 111 115 116 116 118 119 122 126 128 129 129 135 135 137 140 141 144 145 146 147 150 152 157 160 161 162 164 165 170 170 171 171 173 174 175

Host Based Security System Host Proof Storage Human–computer interaction (security) Inference attack Information assurance Information Assurance Vulnerability Alert Information security Information Security Automation Program Information Security Forum Information sensitivity Inter-Control Center Communications Protocol Inter-protocol communication Inter-protocol exploitation International Journal of Critical Computer-Based Systems Internet leak Internet Security Awareness Training Intrusion detection system evasion techniques Intrusion prevention system Intrusion tolerance

IT baseline protection IT Baseline Protection Catalogs IT risk IT risk management ITHC Joe-E Kill Pill LAIM Working Group Layered security Likejacking Linked Timestamping Lock-Keeper MAGEN (security) Mandatory Integrity Control Mayfield's Paradox National Cyber Security Awareness Month National Vulnerability Database

Neurosecurity

nobody (username)

176 181 183 184 185 190 191 206

207 209 212 215 216 217 217 219 220 222 224 224 228 231 245 260 261 262 262 263 264 265 269 270 271 273 273 274 275 275

Non-repudiation Novell Cloud Security Service One-time authorization code Opal Storage Specification Open security Outbound content security Parasitic computing Parkerian Hexad Phoraging Physical access Polyinstantiation Portable Executable Automatic Protection Pre-boot authentication Presumed security Principle of least privilege Privilege Management Infrastructure Privileged Identity Management Proof-carrying code Public computer Pwnie Awards Real-time adaptive security

RED/BLACK concept Reverse engineering RFPolicy Risk factor (computing) Rootkit S/MIME seccomp Secure coding Secure environment Secure state Secure transmission Security architecture Security awareness Security bug Security Content Automation Protocol Security event manager Security information and event management

276 278 279 280 281 282 282 283 285 285 286 287 294 295 296 299 300 302 303 304 307 308 309 316 316 318 329 331 333 334 334 334 335 336 338 339 341 343

Security information management Security log Security operations center (computing) Security principal Security Protocols Open Repository Security risk Security testing SecurityMetrics SekChek Classic SekChek Local Separation of protection and security Sherwood Applied Business Security Architecture Simple Certificate Enrollment Protocol Site Security Handbook Sourcefire Vulnerability Research Team Standard of Good Practice Stepping stone (computer security) Supply chain attack System Service Dispatch Table Systems assurance Threat (computer) Threat model Timeline of computer security hacker history Titan Rain TitanFile Trademark (computer security) Trust boundary Trusted client Trusted timestamping Typed assembly language Typhoid adware Vanish (computer science) Virus Bulletin Vulnerability Discovery Model Web Access Management Whitelist Windows Security Log Wireless identity theft

344 345 345 348 349 349 351 353 359 362 365 366 368 369 369 370 373 373 374 374 375 385 387 397 398 399 401 401 402 405 406 407 409 410 411 413 415 417

WS-Federation WS-SecurityPolicy WS-Trust XSS worm Zardoz (computer security) Zone-H

References Article Sources and Contributors Image Sources, Licenses and Contributors

Article Licenses License

421 422 424 425 426 428

429 436

438

Security breach notification laws

Security breach notification lawshave been enacted in most U.S. states since 2002. These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable [1] information. The first such law, the California data security breach notification law, Cal. Civ. Code 1798.82 and 1798.29, was [2] enacted in 2002 and became effective on July 1, 2003. As related in the bill statement, law requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." In addition the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation." The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach in the security of the data.

In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose [3] a data breach to customers, usually in writing. California has since broadened its law to include compromised [4] medical and health insurance information.

The National Conference of State Legislatures maintains a list of enacted and proposed security breach notification [1] laws.

A number of bills that would establish a national standard for data security breach notification have been introduced [5] in the U.S. Congress, but none passed in the 109th Congress. The European Union implemented a breach notification law in the Directive on Privacy and Electronic [6] Communications (E-Privacy Directive) in 2009. This directive has to implemented by national law until 25 May 2011.

External links [7] Breach reporting requirements by state [8] Interactive map comparing U.S. security breach notice laws (requires subscription)

References [1] State Security Breach Notification Laws (http:/ /www.ncsl.org/programs/lis/cip/priv/breach.htm) [2] SB 1386 Senate Bill - CHAPTERED (http:/ /info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered. html) [3] CSO Online: Interactive map comparing breach notification laws (http:/ /www.csoonline.com/article/221322/ CSO_Disclosure_Series_Data_Breach_Notification_Laws_State_By_State) [4] California AB 1298 (2007) (http:/ /www.leginfo.ca.gov/pub/07-08/bill/asm/ab_1251-1300/ab_1298_bill_20071014_chaptered.html) [5] Speaking of Security... | Blog Entry: Shannon Kellogg | Data security a: 1173 (http:/ /www.rsa.com/blog/entry.asp?id=1173) [6] Amendment of Article 4 lit 3-5 of Directive 2002/58/EC (E-Privacy Directive) by Article 2 lit 4 c) of Directive 2009/136/EC (http:/ /eur-lex. europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:01:EN:HTML). [7] http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf [8] http://www.lawserver.com/security-breach-notification

Directive on Privacy and Electronic Communications

European Union directive:

Directive 2002/58/EC Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector

Made byEuropean Parliament & Council

Made underArt. 95

Journal reference

L201,2002-07-31,pp.a37–47

History

Made 2002-07-12

Came into force 2002-07-31

Implementation date 2003-10-31

Preparative texts

EESC opinion

C123, 2001-01-24, p.a 53

EP opinion C187, 2002-05-30, p.a 103

Reports

Other legislation

Replacesa

Amendsa

Amended by Directive 2006/24/EC

Replaced bya

Status: Current legislation

Directive2002/58on Privacy and Electronic Communications, otherwise known asE-Privacy Directive, is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

Subject-matter and Scope The Electronic Privacy Directive has been drafted specifically to address the requirements of new digital [1] technologies and ease the advance of electronic communications services. The Directive complements the Data [2] Protection Directive and applies to all matters which are not specifically covered by that Directive. In particular, the subject of the Directive is thebright to privacy in the electronic communication sectorcand free movement of data, communication equipment and services. The Directive does not apply to Titles V and VI (Second and Third Pillar) . Likewise, it does not apply to issues [3] concerning public security and defence, state security and criminal law. At present, the interception of data is covered by the new EU Data Retention Directive the purpose of which is to amend E-Privacy Directive.[4] Contrary to Data Protection Directive, which specifically addresses only individuals, Article 1(2) makes it clear that E-Privacy Directive also applies to legal persons.

Directive on Privacy and Electronic Communications

Main provisions [5] The first general obligation in the Directive is to provide security of services. The addressees are providers of electronic communications services. This obligation also includes the duty to inform the subscribers whenever there [6] is a particular risk, such as a virus or other malware attack. [7] The second general obligation is for the confidentiality of information to be maintained. The addressees are Member States, who should prohibit listening, tapping, storage or other kinds of interception or surveillance of communication andbrelated trafficc, unless the users have given their consent or conditions of Article 15(1) have been fulfilled.

Data retention and Other Issues The Directive obliges the providers of services to erase or anonymize the traffic data processed when no longer [8] needed, unless the conditions from Article 15 have been fulfilled. Retention is allowed for billing purposes but only until the statute of limitations allows the payment to be lawfully pursued. Data may be retained upon userds consent for marketing and value added services. For both previous uses, the data subject must be informed why and for how long the data is being processed. [9] Subscribers have the right to non-itemised billing. Likewise, the users must be able to opt-out of calling-line [10] identification. Where data relating to location of user or other traffic can be processed, Article 9 provides that this will only be permitted if such data is anonymized, where users have given consent or for provision of value-added services. Like in the previous case, users must be informed beforehand of the character of information collected and have the [11] option to opt out.

Spam Article 13 prohibits the use of email addresses for marketing purposes. The Directive establishes the opt-in regime, where unsolicited emails may be sent only with prior agreement of the recipient. A natural or legal person who initially collects address data in the context of the sale of a product or service, has the right to use it for commercial purposes provided the customers have a prior opportunity to reject such communication, either where it was initially collected or subsequently. Member States have the obligation to ensure that unsolicited communication will be prohibited, except in circumstances given in Article 13. Two categories of emails (or communication in general) will also be excluded from the scope of the prohibition. The first is the exception for existing customer relationships and the second for marketing of similar products and [12] services. The sending of unsolicited text messages, either in the form of SMS messages, push mail messages or any similar format designed for consumer portable devices (mobile phones, PDAs) also falls under the prohibition of [13] Article 13.

Cookies The Directive provision applicable to cookies is Article 5(3). Recital 25 of the Preamble recognizes the importance and usefulness of cookies for the functioning of modern Internet and directly relates Article 5(3) to them but Recital 24 also warns of the danger that such instruments may present to privacy. The change in the law does not affect all types of cookies. For cookies that are deemed to beestrictly necessarydthe consent of the user is not needed. An example of aestrictly necessarydcookie is when you presseadd to basketdorecontinue to checkoutdwhen shopping online. It is important that the browser remembers information from a previous web page in order to complete a successful transaction. The article is technology neutral, not naming any specific technological means which may be used to store data. This reflects the EU legislatords desire to leave the regime of the directive open to future technological developments.