Digital Literacy
4 views | +0 today
Follow
 
Rescooped by Claire Gorman from HIPAA Compliance for Medical Practices
onto Digital Literacy
Scoop.it!

Obama's Breach Notification Plan Lacks Specifics

Obama's Breach Notification Plan Lacks Specifics | Digital Literacy | Scoop.it

President Obama's call for enactment of a national data breach notification law has been widely welcomed by business groups and privacy advocates, but their endorsements come with a big proviso: What's in it? The White House hasn't provided details, yet.

The groups largely agree that a national breach notification law makes sense because it would simplify the reporting of data breaches. As-is now, businesses must comply with 47 different state statutes. With a national law, there would be only one set of rules to follow. But as the old saw goes, the devil is in the details, and the White House has yet to give a timetable for when it will reveal those particulars.

Except for a requirement that businesses notify customers within 30 days of a data breach, no other details about Obama's proposal have been made public by the White House, despite repeated requests to do so. And even the 30-day requirement is murky; exceptions to the time limit could delay notification.

The Caveat

The National Retail Federation endorses Obama's call to nationalize data breach notification, but "with a caveat," says NRF Media Relations Director Stephen Schatz. "We do remain a bit concerned about the 30-day timeframe," he says. "We don't know all of the details; we don't know if there's any loopholes or restrictions or delays based on certain patterns or metrics. All we know is that you heard 30 days."

Consumer rights advocates also have expressed concerns about Obama's proposal, especially if a national statute would weaken strong protections some states furnish in their laws. They say states should be allowed to implement more stringent requirements if the federal law isn't as tough as some state statutes.

"It's good that the president has re-focused on privacy and data security issues, but it would be terrible if his proposals preempt stronger state laws and offer less protection," says John Simpson, privacy project director at the not-for-profit advocacy group Consumer Watchdog. "Any national consumer privacy laws should be a floor, not a ceiling. States must be allowed to enact stronger measures."

Yet that wouldn't placate most businesses that seek simplification brought on by a single law. "Any federal standard should therefore contain strong state pre-emption language," says Elizabeth Hyman, executive vice president for public advocacy at TechAmerica, a high-tech industry trade group.

Flashback to 2011

To get an idea what might be in Obama's new proposal, look at the White House's 2011 national data breach notification initiative. That bill would have given businesses up to 60 days to notify consumers and the Federal Trade Commission of a breach unless there was no reasonable risk of harm or fraud. Other provisions in the 2011 legislative proposal included:

Businesses receiving a 30-day extension in reporting breaches in order to conduct further investigation.Businesses being exempted from reporting if they would conduct risk assessments that show the breach didn't harm individuals whose personally identifiable information was exposed, the exposed data were rendered unusable through technology generally accepted by IT security experts; or participate in a security program that effectively blocked the use of the sensitive PII.Instituting civil penalties of up to $1,000 a day per individual affected by a breach, up to a maximum of $1 million a violation unless such conduct was found to be intentional.Businesses having to notify the local news media if more than 5,000 individuals were affected by the breach within any state. For larger breaches, businesses also would have had to notify national credit reporting agencies.

The 2011 legislation also would have required certain breaches to be reported to an entity designated by the secretary of Homeland Security, including cases affecting more than 5,000 individuals; breaches involving a database containing information on more than 500,000 individuals nationwide; breaches involving databases owned by the federal government; or breaches involving employees or contractors to the federal government involved in national security or law enforcement.

Timing Behind Obama Proposal

White House Press Secretary Josh Earnest, at a briefing Jan. 12, sidestepped a question on how the new proposal differs from the 2011 one. But he said the timing is right to propose such legislation because the Sony breach gets the attention of lawmakers.

"The proposal that we have sent up, or will send up, is one that does have the strong support of consumer groups because they recognize how important it is for companies to fulfill their obligations to communicate clearly with their consumers and their customers to make sure those customers can take appropriate steps to protect their privacy and protect against identity theft," Earnest said. "At the same time, this is also welcome news to industry, because this clarity associated with one specific national standard would make it clear to them what sort of obligations they need to fulfill to their customers."

Notwithstanding the president's proposal, lawmakers who have sponsored data breach notification bills in the past, including Democratic Sens. Patrick Leahy of Vermont and Dianne Feinstein of California, says they'll do so again in the current Congress. "In just the last 18 months, many millions of Americans have had data stolen in hacks of Target, Neiman Marcus, Home Depot, Sony, JP Morgan Chase and other companies," Feinstein says. "Cyber-attacks cost the economy hundreds of billions of dollars a year, and this will only get worse. Congress must take steps to minimize the damage."

Advancing the State of the Union Address

Obama outlined his latest data breach notification proposal along with other initiatives aimed at protecting consumer online privacy and battling identity theft during a Jan. 12 speech at the Federal Trade Commission. The president is spending the first half of this week promoting his cyber agenda in advance of his State of the Union address that will feature steps to promote and safeguard the digital world. On Jan. 13, Obama will visit the Department of Homeland Security to outline his cyberthreat information sharing plan, and on Jan. 14 he travels to Iowa to promote broadband access. "I'm laying out some new proposals on how we can keep seizing the possibilities of an Information Age, while protecting the security and prosperity and values that we all cherish," he said in his FTC speech.

 

Also on Jan. 13, Obama is meeting with key lawmakers to discuss his cyber agenda. One of those lawmakers is the newly minted chairman of the Senate Commerce, Science and Transportation Committee, John Thune, R-S.D. Thune says he's ready to work with the president on data breach notification and other cybersecurity legislation. But his statement about the president's agenda had a partisan ring to it: "I welcome President Obama back to the discussion on cybersecurity in the wake of the highly publicized cyber-attack on Sony Pictures," says Thune, who took over chairmanship of panel, which would consider data breach notification legislation, after the Republican victory in November's election.

Thune complains that Obama didn't do enough late last year to get the then-Democratic majority in the Senate to enact other cybersecurity-related bills, including one to share cyberthreat information. "President Obama's engaged support for similar legislation this Congress would help address cyberthreats, improve privacy protections and would also begin to address concerns over the president's go-it-alone approach of unilateral executive actions on cyber and other issues."

White House's Disappointment with Congress

Earnest, at the press briefing, declined to explain how the cyberthreat information sharing proposal the president will present on Jan. 13 differs from the House-passed Cyber Intelligence Sharing and Protection Act, a measure that the White House twice threatened a veto in the past two congresses. "Well, we'll save tomorrow's news for tomorrow," he said. "But you have heard me say on a number of occasions that we've been pretty disappointed that Congress has not fulfilled their responsibility that they have to deal with this critically important issue."

The administration threatened a veto because White House officials contend CISPA didn't go far enough to protect individuals' privacy and went too far in furnishing liability protection to businesses that shared cyberthreat information.

"We would hope that that would not be something that would get bogged down in partisan debates," Earnest said. "This is something we should all be able to agree on. We'll see. I think the same thing - same description could apply to the kinds of cybersecurity legislation that the president looks forward to talking about tomorrow. But for the details of that, we'll have more on that for you."

 


Via Technical Dr. Inc.
Claire Gorman's insight:

We selected this article because it's current, topical and of relevance to the students in terms of data protection. 

 

we do agree that there is an inherent risk of data being breached and putting the country's security and reputation at risk. (Refer to this week's events - hacking of military data). We also agree that there should only be one law to make things clearer. Public awareness needs to be raised immediately. We question the benchmark figure before the media needs to be notified of a breach.

No comment yet.
Your new post is loading...
Your new post is loading...
Rescooped by Claire Gorman from Digital Disruption in Pharma
Scoop.it!

FDA & DOJ Oversight in the Internet Age

FDA & DOJ Oversight in the Internet Age | Digital Literacy | Scoop.it
An FDA rebuke of televised comments made by Aegerion’s CEO—which led the company to air a TV commercial correcting the statements—was prompted by complaints from a government drug reviewer, according to emails viewed by The Wall Street Journal.

 

Drug-industry experts said the proliferation of media in the digital age has given regulators more opportunity—and more responsibility—to probe for potentially misleading statements. In the past, the agency focused its enforcement efforts primarily on written marketing materials targeted at consumers or physicians.

 

“If you go way back to the 1990s, before all this social media and 24-7 cable news, the rules were pretty easy,” said Timothy S. Ayers, a regulatory consultant with Porzio, Bromberg & Newman PC.

 

Mr. Beer’s remarks “misleadingly suggest that Juxtapid” extends patients’ lives, though that hasn’t been proven, the warning letter said. The letter also was critical of Mr. Beer for not mentioning any of the drug’s side effects.

 

In July, Aegerion aired a commercial in which Chief Medical Officer Mark Sumeray corrected Mr. Beer’s statements. CNBC declined to run the ad [Whaaa?], so Aegerion ran the commercial once on Fox Business Newetwork and once on Fox News, the Aegerion spokeswoman said. A CNBC spokeswoman declined to comment.

 

“Two interviews given by Aegerion CEO Marc Beer mistakenly suggested that Juxtapid is proven to extend life,” reduce the risk of heart attack and stroke, and is safe for use in children, Dr. Sumeray said in the commercial.

 
Via Richard Meyer, Pharma Guy
Claire Gorman's insight:

We agree that there should be more accountability for what people publish on the Internet. There was not enough information provided to find anything to disagree with.

Pharma Guy's curator insight, December 22, 2014 8:35 AM


This was clearly an effort by a CEO to boost his company's share price and his personal profits, which undoubtedly depend on the price of the shares.


The Wall Street Journal Article also reveals that Mr. Beer, who became Aegerion’s CEO in 2010, "oversaw the company’s initial public offering and regulatory approval of Juxtapid, its first marketed drug. The Cambridge, Mass.-based company has 268 employees. Last year, Aegerion’s stock nearly tripled from $26.44 to $69.53 after Juxtapid sales got off to a strong start. However, a number of regulatory and legal problems, combined with disappointing Juxtapid sales, have caused the company’s share price to tumble nearly 69% to $22.81 since the beginning of 2014.


"Aegerion twice cut its sales guidance this year after it said more patients than expected quit taking Juxtapid because of the drug’s side effects, which include diarrhea, nausea and the risk of liver damage. Sales have also been hurt by an investigation by Brazilian authorities into whether Aegerion employees violated the country’s anticorruption laws in connection with the prescribing of Juxtapid there, the second-largest market for the drug after the U.S. The company said it doesn’t believe Brazil’s anticorruption laws have been broken.


The drug maker disclosed in January it is the subject of a U.S. Justice Department investigation into its sales and marketing of Juxtapid. The company said it is cooperating with the continuing investigation, and that it intends to vigorously defend itself."


Find the FDA letter here.

Rescooped by Claire Gorman from HIPAA Compliance for Medical Practices
Scoop.it!

Obama's Breach Notification Plan Lacks Specifics

Obama's Breach Notification Plan Lacks Specifics | Digital Literacy | Scoop.it

President Obama's call for enactment of a national data breach notification law has been widely welcomed by business groups and privacy advocates, but their endorsements come with a big proviso: What's in it? The White House hasn't provided details, yet.

The groups largely agree that a national breach notification law makes sense because it would simplify the reporting of data breaches. As-is now, businesses must comply with 47 different state statutes. With a national law, there would be only one set of rules to follow. But as the old saw goes, the devil is in the details, and the White House has yet to give a timetable for when it will reveal those particulars.

Except for a requirement that businesses notify customers within 30 days of a data breach, no other details about Obama's proposal have been made public by the White House, despite repeated requests to do so. And even the 30-day requirement is murky; exceptions to the time limit could delay notification.

The Caveat

The National Retail Federation endorses Obama's call to nationalize data breach notification, but "with a caveat," says NRF Media Relations Director Stephen Schatz. "We do remain a bit concerned about the 30-day timeframe," he says. "We don't know all of the details; we don't know if there's any loopholes or restrictions or delays based on certain patterns or metrics. All we know is that you heard 30 days."

Consumer rights advocates also have expressed concerns about Obama's proposal, especially if a national statute would weaken strong protections some states furnish in their laws. They say states should be allowed to implement more stringent requirements if the federal law isn't as tough as some state statutes.

"It's good that the president has re-focused on privacy and data security issues, but it would be terrible if his proposals preempt stronger state laws and offer less protection," says John Simpson, privacy project director at the not-for-profit advocacy group Consumer Watchdog. "Any national consumer privacy laws should be a floor, not a ceiling. States must be allowed to enact stronger measures."

Yet that wouldn't placate most businesses that seek simplification brought on by a single law. "Any federal standard should therefore contain strong state pre-emption language," says Elizabeth Hyman, executive vice president for public advocacy at TechAmerica, a high-tech industry trade group.

Flashback to 2011

To get an idea what might be in Obama's new proposal, look at the White House's 2011 national data breach notification initiative. That bill would have given businesses up to 60 days to notify consumers and the Federal Trade Commission of a breach unless there was no reasonable risk of harm or fraud. Other provisions in the 2011 legislative proposal included:

Businesses receiving a 30-day extension in reporting breaches in order to conduct further investigation.Businesses being exempted from reporting if they would conduct risk assessments that show the breach didn't harm individuals whose personally identifiable information was exposed, the exposed data were rendered unusable through technology generally accepted by IT security experts; or participate in a security program that effectively blocked the use of the sensitive PII.Instituting civil penalties of up to $1,000 a day per individual affected by a breach, up to a maximum of $1 million a violation unless such conduct was found to be intentional.Businesses having to notify the local news media if more than 5,000 individuals were affected by the breach within any state. For larger breaches, businesses also would have had to notify national credit reporting agencies.

The 2011 legislation also would have required certain breaches to be reported to an entity designated by the secretary of Homeland Security, including cases affecting more than 5,000 individuals; breaches involving a database containing information on more than 500,000 individuals nationwide; breaches involving databases owned by the federal government; or breaches involving employees or contractors to the federal government involved in national security or law enforcement.

Timing Behind Obama Proposal

White House Press Secretary Josh Earnest, at a briefing Jan. 12, sidestepped a question on how the new proposal differs from the 2011 one. But he said the timing is right to propose such legislation because the Sony breach gets the attention of lawmakers.

"The proposal that we have sent up, or will send up, is one that does have the strong support of consumer groups because they recognize how important it is for companies to fulfill their obligations to communicate clearly with their consumers and their customers to make sure those customers can take appropriate steps to protect their privacy and protect against identity theft," Earnest said. "At the same time, this is also welcome news to industry, because this clarity associated with one specific national standard would make it clear to them what sort of obligations they need to fulfill to their customers."

Notwithstanding the president's proposal, lawmakers who have sponsored data breach notification bills in the past, including Democratic Sens. Patrick Leahy of Vermont and Dianne Feinstein of California, says they'll do so again in the current Congress. "In just the last 18 months, many millions of Americans have had data stolen in hacks of Target, Neiman Marcus, Home Depot, Sony, JP Morgan Chase and other companies," Feinstein says. "Cyber-attacks cost the economy hundreds of billions of dollars a year, and this will only get worse. Congress must take steps to minimize the damage."

Advancing the State of the Union Address

Obama outlined his latest data breach notification proposal along with other initiatives aimed at protecting consumer online privacy and battling identity theft during a Jan. 12 speech at the Federal Trade Commission. The president is spending the first half of this week promoting his cyber agenda in advance of his State of the Union address that will feature steps to promote and safeguard the digital world. On Jan. 13, Obama will visit the Department of Homeland Security to outline his cyberthreat information sharing plan, and on Jan. 14 he travels to Iowa to promote broadband access. "I'm laying out some new proposals on how we can keep seizing the possibilities of an Information Age, while protecting the security and prosperity and values that we all cherish," he said in his FTC speech.

 

Also on Jan. 13, Obama is meeting with key lawmakers to discuss his cyber agenda. One of those lawmakers is the newly minted chairman of the Senate Commerce, Science and Transportation Committee, John Thune, R-S.D. Thune says he's ready to work with the president on data breach notification and other cybersecurity legislation. But his statement about the president's agenda had a partisan ring to it: "I welcome President Obama back to the discussion on cybersecurity in the wake of the highly publicized cyber-attack on Sony Pictures," says Thune, who took over chairmanship of panel, which would consider data breach notification legislation, after the Republican victory in November's election.

Thune complains that Obama didn't do enough late last year to get the then-Democratic majority in the Senate to enact other cybersecurity-related bills, including one to share cyberthreat information. "President Obama's engaged support for similar legislation this Congress would help address cyberthreats, improve privacy protections and would also begin to address concerns over the president's go-it-alone approach of unilateral executive actions on cyber and other issues."

White House's Disappointment with Congress

Earnest, at the press briefing, declined to explain how the cyberthreat information sharing proposal the president will present on Jan. 13 differs from the House-passed Cyber Intelligence Sharing and Protection Act, a measure that the White House twice threatened a veto in the past two congresses. "Well, we'll save tomorrow's news for tomorrow," he said. "But you have heard me say on a number of occasions that we've been pretty disappointed that Congress has not fulfilled their responsibility that they have to deal with this critically important issue."

The administration threatened a veto because White House officials contend CISPA didn't go far enough to protect individuals' privacy and went too far in furnishing liability protection to businesses that shared cyberthreat information.

"We would hope that that would not be something that would get bogged down in partisan debates," Earnest said. "This is something we should all be able to agree on. We'll see. I think the same thing - same description could apply to the kinds of cybersecurity legislation that the president looks forward to talking about tomorrow. But for the details of that, we'll have more on that for you."

 


Via Technical Dr. Inc.
Claire Gorman's insight:

We selected this article because it's current, topical and of relevance to the students in terms of data protection. 

 

we do agree that there is an inherent risk of data being breached and putting the country's security and reputation at risk. (Refer to this week's events - hacking of military data). We also agree that there should only be one law to make things clearer. Public awareness needs to be raised immediately. We question the benchmark figure before the media needs to be notified of a breach.

No comment yet.