Friday, April 01, 2005

News of the World

(from Mike McGuire, reporting remotely from Minnesota, these stories in Steptoe & Johnson's E-Commerce Law Week, March 26, 2005)

Dear Feds, Send Money or the IT Infrastructure Could Get It

They say money makes the world go 'round . . . And now a group of experts are warning that without a serious cash infusion, the nation's information technology (IT) infrastructure world is at grave risk of being knocked off its axis by a terrorist or criminal attack. In a report entitled, "Cyber Security: A Crisis of Prioritization," the President’s Information Technology Advisory Committee (PITAC) -- an advisory body of IT leaders in academia and industry -- argues that the IT infrastructure of the US is "highly vulnerable to terrorist and criminal attacks." The report, made public on March 18, calls for a drastically increased federal role in supporting the development of new cybersecurity technologies. PITAC warns that short-term solutions to infrastructure vulnerability, like patching or retrofitting software, are inadequate and that only a massive deployment of money and manpower can successfully address the "large structural insecurities" of the nation's IT infrastructure. We've heard such dire warnings before, however, to little discernable effect. But perhaps the current spotlight on identity theft and data security breaches will lend some heft to the argument that the security of the nation's cyber infrastructure deserves at least as much attention as the data it carries.

Bank Regulators Beat Congress to the Punch on Security Breach Notifications

With all the Congressional activity on data security and identity theft these days, it's easy to forget that threats of new legislation are only half the story. In some industries, federal regulators are already setting guidelines for when companies should disclose security breaches. For example, the four federal financial industry regulators have issued "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice" to instruct financial institutions on when they will be expected to report security breaches of "sensitive customer information" -- whether that information is stored electronically or in paper form. The federal regulators will view a financial institution's failure to comply with the guidance as an unsafe and unsound information security practice.

No comments: