Friday, September 7, 2012

Proposed amendments to FAR - Attention GSA'ers

DoD, GSA and NASA are proposing to amend the FAR with a new subpart and contract clause for anyone contracting with Uncle Sam or handling government data.  The changes would require contractors or organizations handling government data to take certain information security measures and these would be contractually required.

Written comments are due on or before October 23rd, and the FAR case is 2011-020.

"Basic safeguarding" of data includes such items as:
  • Use of public computers
  • Intrusion protection
  • Transmitting of electronic information
  • Physical and electronic barriers
According to the proposed rule, basic protection measures are "first-level information technology security measures used to deter unauthorized disclosure, loss, or compromise."
It is interesting to note that although these should already be included under FISMA it also pertains to the use of COTS products.  Anyone contracting with Uncle Sam should keep abreast of the changes and provide comments.

http://www.gpo.gov/fdsys/pkg/FR-2012-08-24/pdf/2012-20881.pdf



Posted by at No comments:

Monday, August 20, 2012

District Court Rules Online Video Streaming Subject to VPPA Restrictions

I believe the word "DUH" is needed here

District Court Rules Online Video Streaming Subject to VPPA Restrictions
Posted by at No comments:

Friday, July 27, 2012

Thought for the day

Optimists look at a glass of water filled 50% and say it is half full
Pessimists look at the same glass as half empty

A security person looks at the glass and says "how do I know this is water and not some deadly chemical"

Chris Cunningham (just now)
Posted by at 1 comment:

Friday, June 1, 2012

Cookie Guidance from the UK ICO

In 2002 the European Directive 2002/58/EC laid the ground work for the protection of privacy for electronic communications. This was amended in 2009 by directive 2009/136/EC commonly referred to as the “cookie rule”. This directive required governments in the EU to implement these changes in their own laws by May 25, 2011. The UK ICO allowed for a “lead in period” of one year, and that year is now up. On May 25th, The UK ICO published their recommendations on the directive and how the UK ICO views the issues and requirements in the directive, as well as some insight into how enforcement actions may take place within the UK. This is a valuable resource for organizations operating websites in the UK.



As should be anticipated, any cookies that are not strictly necessary or any cookies that handle sensitive data should get extra attention, since you can be assured the DPAs will be paying special attention to them. This is an area where explicit consent should be obtained.

A couple of items from the guidance should be noted by any organizations using cookies on their websites, especially cookies that track users actions across multiple sessions.


• Explicit consent is not a requirement in all cases


• Users on the site should be conspicuously advised of the use of cookies on the site, and their choices on allowing the cookies.


• Exceptions for a cookie being “strictly necessary” should be sued very narrowly


• Make the use of third party cookies very clear to the end-user



Posted by at No comments:

Friday, February 24, 2012

How a carrot and a stick relate to US privacy legislation

Yesterday, the Obama Administration released their latest efforts to effect real privacy standards and legislation in what they are calling the Consumer Privacy Bill of Rights. The paper, entitled Consumer Data Privacy in a Networked World outlines several measures that will drag the US, kicking and screaming, into the development of a real privacy standard that will rival the European and OECD standards and directives.
The plan is broken down into several areas. First, there is a Consumer Privacy Bill of Rights that is similar to the OECD Privacy Principles, albeit unnecessarily complicated and duplicative. Secondly, the Bill of Rights would be implemented in Codes of Conduct that industry would need to develop in concert with the government’s “assistance”. Thirdly, the FTC would be the enforcer of these codes of conduct similar to their current role. Lastly, the plan calls for a Federal breach notification standard and calls for enforceable federal legislation that would enable mutual recognition by other countries. To date, Congress has failed miserably in every attempt to enact Federal data privacy legislation, so I applaud the Administration for trying the carrot approach, since the stick has not been effective.

Consumer Privacy Bill of Rights

The Obama Administration is hoping that even if Congress does not implement Federal legislation, that this will be the starting point for industry discussion and a beginning of privacy standards that can be used by businesses and industries. The Bill of rights is similar to the OECD standards and includes:

•Individual Control
•Transparency
•Respect for Context
•Security
•Access and Accuracy
•Focused Collection
•Accountability

Codes of Conduct

The plan calls for companies and groups to develop these codes of conduct in cooperation with the FTC and the National Telecommunications and Information Administration (NTIA). The enforcement powers would most likely be given to the FTC under Section 5 off the FTC Act, similar to how the FTC now brings actions against organizations for unfair and deceptive trade practices. Any Federal legislation resulting from this should preempt any state laws to the extent they are inconsistent with the Federal law.

Time will tell if the plan will advance privacy legislation and improve consumer protection, but it is already an improvement of anything we have seen come down from Capitol Hill – which is nothing. If this indeed moves forward, the next step will be gaining recognition by the EU, but forgive me if I don’t hold my breath on this just yet.

More to come on this topic as it develops.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)