[ISN] Senators propose sweeping data-security bill

[InfoSec News]

Forwarded from: Mark Bernard <Mark.Bernard at TechSecure.ca>

Dear Associates,

We knew something had to happen and while US and Canadian companies
are scrambling to become compliant with new SAS 70 and CICA 70 audit
standards by November 16th yet another new regulation looms with even
more changes coming. A couple things stand out the mandatory
implementation of a "comprehensive personal data privacy and security
program" , 5 years in prison for attempting to cover up a system
intrusion/break in, the use of social security numbers by credit
bureaus (that's not allowed here in Canada).

Best regards,
Mark.

Mark E. S. Bernard, CISM, CISSP, PM,
Principal, Risk Management Services,

e-mail: Mark.Bernard at TechSecure.ca
Web: http://www.TechSecure.ca
Phone: (506) 325-0444


Leadership Quotes by Kenneth Blanchard: "The key to successful leadership 
today is influence, not authority."


----- Original Message ----- 
From: "InfoSec News" <isn at c4i.org>
To: <isn at attrition.org>
Sent: Thursday, June 30, 2005 4:46 AM
Subject: [ISN] Senators propose sweeping data-security bill


> http://news.com.com/Senators+propose+sweeping+data-security+bill/2100-7348_3-5769156.html
>
> By Declan McCullagh
> Staff Writer, CNET News.com
> June 29, 2005
>
> Corporate data-security practices would be hit with an avalanche of
> new rules and information burglars would face stiff new penalties
> under a far-reaching bill introduced Wednesday in the U.S. Senate.
>
> The bill represents the most aggressive--and at 91 pages, the most
> regulatory--legislative proposal crafted so far in response to a slew
> of high-profile security breaches in the last few months.
>
> "Reforms like these are long overdue," Sen. Patrick Leahy, a Vermont
> Democrat, said in a floor speech. "This issue and our legislation
> deserve to become a key part of this year's domestic agenda so that we
> can achieve some positive changes in areas that affect the everyday
> lives of Americans."
>
> One portion of the bill, named the Personal Data Privacy and Security
> Act, restricts the sale or publication of Social Security numbers.
> Also, businesses would be prohibited from requiring SSNs except in a
> narrow set of circumstances such as obtaining credit reports and
> applying for a job or an apartment.
>
> Leahy, who had hinted at his plans in a speech in March and had his
> personal information lost by Bank of America, is co-sponsoring the
> bill with Pennsylvania Sen. Arlen Specter. Because Specter is the
> Republican chairman of the influential Judiciary committee, the
> measure could move swiftly through the normally torpid legislative
> process.
>
> "This is an evolving problem that is gigantic," Specter said at a
> press conference in the Capitol building. He predicted quick action
> because "we're not dealing with a highly controversial subject where
> there will be significant differences of opinion."
>
> While portions of the proposal are sure to be criticized by businesses
> that would be faced with more paperwork and compliance requirements,
> Congress nevertheless seems eager to act. In speech after speech,
> politicians have pledged to enact more laws to respond to the data
> mishaps--promises that have occasionally raised eyebrows because many
> of the intrusions were already illegal.
>
> Spurring politicians along has been series of security snafus
> involving firms including ChoicePoint--which claims to have fixed its
> problems--Bank of America, payroll provider PayMaxx, and Reed Elsevier
> Group's LexisNexis service. Other suggestions have included narrower
> measures to restrict the sale of SSNs or mandate notices of security
> breaches.