Posted in Cybersecurity

Privacy Dispatches

How Do You Engineer Privacy? NIST Seeks Answers

Last week, the National Institute of Standards and Technology (NIST) hosted a workshop to discuss and develop the concept of privacy engineering. Although a great deal was covered, three topics recurred throughout the workshop and appeared to be of special interest to NIST, most notably the lack of technical standards concerning privacy,the role engineers can play in protecting privacy and the role NIST should play in the privacy field going forward.

Cybersecurity

Is SEC Cybersecurity Guidance Working?

Imagine that the FBI and DHS have arrived at your company to inform you of a potential cyber threat. Your public company disclosure obligations may not be the first thing on your mind, but such issues will quickly emerge.

Cybersecurity

Why Privacy Pros Should Embrace NIST’s Final Cybersecurity Framework

By Richard Santalesa, CIPP/US

By now the saga is familiar. After the White House tasked the National Institute of Standards and Technology (NIST) last February with developing a “Cybersecurity Framework” to reduce cybersecurity risks connected with “critical infrastructure,” a year to the day later, NIST released its final Version 1.0 of a “Framework for Improving Critical Infrastructure Cybersecurity” along with a companion “Roadmap” and supporting documents.

The many NIST workshops and weekly conference calls over the last year—Full disclosure: I took part in many of NIST’s working group calls—initially resulted in a draft and then 44-page preliminary framework, released last October and covered by the IAPP here. The preliminary framework spurred significant discussion and controversy during the 45-day public comment period following its release, primarily in connection with the “Privacy Methodology” depicted in Appendix B.

More from Richard Santalesa

Cybersecurity

SEC and Cybersecurity—What Publicly-Traded Companies Need to Know

With the news that Target intends to wait until it files its annual report in March with the Securities and Exchange Commission (SEC) on the investment consequences of its massive cybersecurity intrusion from 2013, the SEC and cybersecurity once again gains attention.

From the Wire

Tuning the Privacy/Customer Service Dial

By Jedidiah Bracy, CIPP/US, CIPP/E

Twitter handles can be valuable commodities, and no story better demonstrates that than one described by web developer Naoki Hiroshima. Originally published on his personal blog and then republished with permission by TheNextWeb, “How I lost my $50,000 Twitter username” describes the ordeal he went through when a hacker decided he wanted Hiroshima’s Twitter handle @N—registered to Hiroshima since 2007.

In a nutshell, a hacker decided he wanted @N and was going to do just about anything to get it—without paying any money, of course. To do so, according to the hacker himself (someone call “Ripley’s Believe It or Not”), he socially engineered his way into Hiroshima’s GoDaddy account, which controlled several of his website domains, in order to wrest control of @N from Hiroshima. Give up the Twitter handle and the hacker would take his hands off the throat of Hiroshima’s websites.

Extortion at its finest.

More from Jedidiah Bracy

Opinion

Is the Congressional Response to the Target Breach Off-Target?

In the aftermath of the Target breach announced last month, there has been understandable anxiety on the part of consumers and understandable concern by lawmakers about how to respond to large-scale breaches of this type.

In recent weeks, there have been calls by members of Congress for hearings on the Hill. Several Senators have demanded an investigation by the Federal Trade Commission (FTC) and have discussed legislation beefing up the FTC’s enforcement powers—although as I’ve written here previously , the FTC has not exactly needed an engraved invitation to investigate data breaches in recent years and does not seem to have been inhibited at all by the lack of clear (some might say any) authority to do so. And just this week, Sen. Patrick Leahy (D-VT) reintroduced the Personal Data Privacy and Security Act, which among other things would create a national breach notification standard.

More from Jason Weinstein

Cyber Insurance

Cyber Insurance: Three Common Myths Debunked

By Michael Bruemmer, CIPP/US

In the past, cyber insurance was a polarizing issue in my discussions with privacy and risk professionals. Some professionals where adamant about the benefits of cyber insurance, while others worried that the policies currently on the market didn’t meet its needs or were too costly.  However, I believe the industry is maturing and the coverage options today are much better than just a few years ago.

More from Michael Bruemmer

Trending

For Feds and DEF CON, the Party’s Over…For Now

By Jedidiah Bracy, CIPP/US, CIPP/E

News that the annual DEF CON hacking convention has barred U.S. government officials from attending the event—a first in its 21-year history—is just one more example of fraying trust and fallout from last month’s NSA surveillance disclosures.

The event brings together some of the brightest minds—from hackers to privacy advocates to artists—and is often a place where U.S. government officials can recruit folks for its intelligence programs, or as ZDNet’s Violet Blue writes, “a place where hackers, security researchers, corporate recruiters, digital frontier legal eagles and law enforcement have mingled and boozed it up on noncombatant territory.”

Well, not this year, at least.

More from Jedidiah Bracy