Internet industry representatives warned a privacy bill introduced in the U.S. Congress by Rep. Bobby Rush of Illinois has serious unintended consequences and could even harm the nation's economy unless its sponsor rewrites it. The proposal slaps fines of up to $5 million on businesses and even some individuals unless they abide by a complex set of new regulations to be administrated by the Federal Trade Commission.
Rush's legislation is called the Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act, or Best Practices Act of 2010.
That legislation "would turn the Internet from a fast-moving information highway to a slow-moving toll-road," a vice president of public policy at the Interactive Advertising Bureau, told Rush's committee. "Such a move would hinder, not facilitate e-commerce." The group's board members include representatives of Google, Facebook, Microsoft, AOL, Comcast, Amazon.com, Fox Interactive, and CBS Interactive, which publishes CNET.
The 55-page measure arrives as companies' data collection and use practices are being subjected to increasing scrutiny on Capitol Hill, in part because of high-profile privacy missteps by Facebook and Google that have drawn criticism from some politicians.
Rush's bill applies to any "person" or business that stores personal information, including someone's name, mailing address, e-mail address, and phone or fax number. That person must provide, if requested, "access to" information stored about others.
There is an exemption for small businesses, but not if they hold 15,000 or more names, e-mail addresses, or other personal information in their records. The language is broad enough to apply to local retailers, small businessmen like plumbers and carpenters, and even individuals who have a sufficient quantity of e-mail addresses on their PCs. (The free-market Competitive Enterprise Institute notes that numerous "small businesses and nonprofits across the nation routinely store basic details, such as phone numbers and e-mail addresses," with little in the way of privacy catastrophe.)
Rush hopes to mandate new "physical safeguards" that apply to anyone holding 15,000 or more records, encourage civil litigation over possible violations, and impose new regulations such as saying business "shall retain such data only as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement."
Today, more than ever, companies are confronted with a broad array of electronic document issues, including data retention policies and e-discovery during litigation. Failing to comply with rules regarding such electronic data can cost millions of dollars.
CobiT and Massachusetts Data Protection Checklists Added to Template
New with version are Cobit and Massachusetts Data Protection compliance materials. This electronic document is over 230 pages and can be used in the creation of security policies and procedures for any size entity. Janco's CEO said, "The process of creating effective policies and procedures that comply with mandated requirements such as Sarbanes-Oxley and Massachusetts Data Protection with the current security threats and tight budgets is daunting. Every corporation and organization needs a universal and comprehensive set of security processes to safeguard the use of their computers and all related equipment and information assets which support enterprise wide operations. The Security Manual Template meets those needs."
The Security template complies with Sarbanes-Oxley, HIPAA, Cobit and mandated state requirements. The template includes a sensitive information policy and has been updates to include checklists for employee terminations and other security related forms. In the age of information, organizations live and die on one thing, information. "Security breaches can have dramatic impact the information assets of every organization", stated Janco's CEO. Therefore, implementing an understandable and usable set of security policies and procedures is a necessity.
Janco's Security Manual Template provides guidelines and actual policies and procedures for any organizations. It is a model any sized organization can use. It is comprehensive without being wordy or pedantic. The processes created are concise and easily understood by all employees. "The template has checklists and examples of what is needed to get secure information assets, systems and networks. Janco's work with clients who have suffered security breaches has been used in creation of this inexpensive template", asserted the CEO. "The template is the blueprint that can be used by any organization".
For instance in one case, the SEC alleged that defendant failed to produce tens of thousands of emails sought by the SEC in two investigations. The court entered an 8-page consent judgment against defendant. Three of the major points in the judgment were:
Defendant was ordered to pay $15,000,000
Defendant was permanently enjoined from violating Section 17(b) of the Securities Exchange Act of 1934 (requiring a prompt document production, including electronic documents); and
For one year, Defendant, at its own cost, was ordered to hire an independent consultant (acceptable to the SEC) to review and evaluate defendant's policies, procedures, and training in order to comply with the judgment. The independent consultant could make recommendations which must be adopted by Defendant.
Whether it is government agencies, research facilities, banking institutions, credit card processing companies, hospitals or your company's computers - the risk of compromising private information is very high -- especially when when conducting a disaster recovery tests. Since business relies so heavily on technology today, business risk becomes technology dependent. The possibility of litigation is part of business. It has always been a risk of doing business, but because technology and today's business are so intertwined, business risk has a higher threat level. This has prompted many to encrypt workstations and mobile computers in order to protect critical business data
If you have rolled out encryption, how do you maintain your IT service quality when the hard disk drive fails? How do you plan and prepare for a data loss when the user's computer is encrypted? These are all issues that should be considered when putting together a data disaster plan. In addition, data recovery, one of the more common missing elements of a disaster recovery plan, should also be factored in because it can serve as the last ditch solution when all other options have been exhausted.