Personal Data Privacy and Security Act
by Hu Yoshida on Dec 5, 2005
Senators Arlen Specter and Patrick Leahy Introduced the Personal Data Privacy And Security Act Of 2005.
“Our laws need to keep pace with technology,” said Leahy. “Insecure databases have become low-hanging fruit for hackers looking to steal identities and commit fraud during a time when we are seeing a troubling rise in organized rings that target personal data to sell in online, virtual bazaars.”
This act was introduced this summer after serious breaches of data security at ChoicePoint and LexisNexis. These breaches came to light due to California Senate Bill 1386, which required notification to California residents when their personal data was exposed. The Senate Judiciary Committee approved it before Thanksgiving, and it now goes forward for a full Senate hearing. The bill will ensure that companies with databases containing personal information on more than 10,000 US citizens establish and implement data privacy and security programs and vet third-party contractors hired to process data.
Section 402 of this act requires covered business entities to create a data privacy and security program. This includes requirements to: regularly assess, manage and control risks to data privacy and security, provide employee training to implement its data privacy and security program; conduct tests to identify system vulnerabilities; and periodically assess its data privacy and security program to ensure that the program addresses current threats. The act also requires covered business entities to comply within one year of enactment.
This puts even more urgency on the implementation of data and storage security. Data and storage security will be top of mind for the storage industry in 2006. The SNIA TWG on security has already published tutorials and defined the elements of data security to include:
- Storage System Security (SSS) – Securing embedded operating systems and applications as well as integration with IT and security infrastructure (e.g., external authentication services, centralized logging, firewalls, etc.).
- Storage Resource Management (SRM) – Securely provisioning, monitoring, tuning, re-allocating, and controlling the storage resources so that data may be stored and retrieved.
- Data In-Flight (DIF) – Protecting the confidentiality, integrity and/or availability of data as they are transferred across the storage network, the LAN, and the WAN.
- Data At-Rest (DAR) – Protecting the confidentiality, integrity and/or availability of data residing on servers, storage arrays, NAS appliances, tape libraries, and other media (especially tape).
Data at rest must also include data that is deleted and no longer needed. Hitachi’s Tiered Storage Manager, not only includes the automated movement of data between tiers of storage but also includes a data shredding alogorithm based on DoD data security specifications to ensure the destruction of any data that was on the previous tier of storage.
As Dave Hitz points out in his blog Data Security Broadly Defined, we need to broaden our customers’ thinking, not just about our own vendor solutions, but to help them understand solutions from folks like Symantec, Microsoft, Cisco, CA, McAfee, Trend Micro, WebWasher, Acopia, Juniper, Neopath, Websense, and so on.
Comments (3 )
The personal Data Privacy and Security Act coupled with the Sarbanes-Oxley Act are a growing number of legislations that make it mandatory for organisations to develop and implement appropriate information security measures and controls around personal information and financial systems which have for too long been an easy target for criminals and internal staff carrying out unauthorised actions on systems without authorisation. However in my view due to the global nature and impact of information security breaches all countries need to enact information security legislation which makes it an offence not to implement appropriate information security requirements. These legislations and regulations must also provide by way of guidelines what minimum security requirements accepatble.
At over 90 pages, the bill is a comprehensive (and complex) attempt to address the privacy and security issues that have recently come to light following a number of large scale security breaches.
nice information and i think that most of the private and security companies are encauraging to this point for getting and also giving the more benefits to their members.