T2P Rules, Regulations & Standards News

HHS Publishes HITECH Act Accounting of Disclosures NPRM

2011-05-31T12:38:36Z

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published in the May 31, 2011, Federal Register the Notice of Proposed Rule Making (NPRM) entitled HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act (76(104), pp. 31426-31449). This NPRM is available online in pdf. Comments on the NPRM are requested to be submitted on or before August 1, 2011. The Summary of the NPRM with abbreviations, as noted, on p. 31426, is:

“HHS is issuing this NPRM to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information. The purpose of these modifications is, in part, to implement the statutory requirement under the HITECH Act to require covered entities and business associates to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record. Pursuant to both the HITECH Act and its more general authority under HIPAA, the Department [HHS] proposes to expand the accounting provision to provide individuals with the right to receive an access report indicating who has accessed electronic protected health information in a designated record set. Under its more general authority under HIPAA, the Department also proposes changes to the existing accounting requirements to improve their workability and effectiveness.”

There are several points worth noting in the NPRM. First, HHS includes “a direct reference to business associates in the standard to make clear that the covered entity must include accounting information for all disclosures by the covered entity’s business associates that create, receive, maintain, or transmit designated record set information.” [p. 31430, emphasis added] Second, “[c]overed entities must provide individuals with notices of privacy practices that detail how the covered entity may use and disclose protected health information and individuals’ rights with respect to their own health information. Beginning on January 1, 2013, individuals would have the right to receive a report of who accessed their electronic protected health information that covers a three-year period from the date of the request. Covered entities would have to revise their privacy notices to reflect this change.” [p. 31445] HHS estimates that 669,000 health care providers would have to revise and reissue their notices of privacy practices. Next, HHS is “proposing that covered entities (including small health plans) and business associates comply with the modifications to the accounting of disclosures requirement beginning 180 days after the effective date of the final regulation (240 days after publication [in the Federal Register]). We are proposing that covered entities and business associates provide individuals with a right to an access report beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009. ” [p. 31429]. Finally, HHS expects to review comments and publish the Accounting of Disclosures Final Rule by the end of 2011, which means that compliance with the accounting of disclosures requirement would begin sometime during the summer of 2012. [20110531]

Enterprises Get New Guidance on PCI Compliance in Virtual Environments

2011-06-15T04:00:00Z

Enterprises got some much needed clarification on the implementation of PCI requirements in virtualized environments on Tuesday.

What’s Next for the FTC’s Proposed Privacy Framework?

2011-03-24T13:38:52Z

Richard L. Santalesa writes:

The December 2010 release of the FTC’s much anticipated Privacy Framework (see our coverage here, here, here and the report itself here), included the typical public comment period, which ended in February. We’ve looked at the 442 separate submitted comments received by the FTC, available here, from individuals and associations, corporations and organizations to uncover what themes, trends and thoughts have been raised by the FTC’s framework, and in turn, what feedback the FTC will be weighing in future changes of the report and ultimately any resulting recommendations for additional legislation and regulation.

New Guidance Outlines Assessing the Adequacy of Risk Managementand and Internal Audit Effectiveness and Efficiency

2011-01-12T20:35:00Z

ALTAMONTE SPRINGS, Fla. – Boards of directors and senior management of organizations worldwide are increasingly implementing enterprise-wide risk management practices in the aftermath of the financial crisis of 2007 and the economic recession of the ensuing two years. Newly published guidance from The Institute of Internal Auditors (IIA) can help organizations assess the adequacy of those practices as measured against the Geneva-based International Organization for Standardization’s (ISO’s) widely respected ISO 31000 framework. “Our research with chief audit executives (CAEs) around the globe is telling us that internal auditors are being looked to more and more to offer independent, objective opinions about whether an organization’s risk management activities are effective ,” says IIA Vice President of Standards and Guidance Beryl Davis, CIA. “The IIA guide Assessing the Adequacy of Risk Management Using ISO 31000 offers internal auditors three self-contained approaches to forming such a conclusion, each of which CAEs could tailor to meet the specific needs of their organization,” she says. Taking a process elements approach can help internal auditors determine whether each of the seven foundational elements of the risk management process identified in ISO 31000 is in place, the guide says. These elements are: communication; setting the context; risk identification; risk analysis; risk evaluation; risk treatment; and monitoring and review. The key principles approach is rooted in the concept that to be fully effective, the risk management process must satisfy a minimum set of principles or characteristics, the guide notes. Under ISO 31000, an effective risk management activity: Creates and protects organization value. Is an integral part of organizational processes. Is a key element of decision-making. Explicitly addresses uncertainty. Is systematic, structured, and timely. Is based on the best available information. Is tailored to the organization, its size, culture objectives, and risk profile. ISO 31000’s maturity model approach stems from a foundational assumption that the quality of an organization’s risk management activity will improve over time. Adopting ISO 31000’s maturity model approach, the guide says, can help CAEs assess where their organization’s risk management process lies on this continuum and, by extension, enable the board to determine whether it meets the current needs of the organization and is maturing as expected. “The IIA recognizes there are numerous reliable frameworks internal auditors can use to assess their ERM effectiveness,” Davis says. “Some of these frameworks – notably Enterprise Risk Management-Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) – are used primarily in the Unites States, while others such as the ISO’s are used around the world,” she says. “The IIA’s new practice guidance based on ISO 31000 further expands The Institute’s offerings on how to leverage the advantages of the various frameworks available to organizations,” she adds. A second practice guide newly published by The IIA, Measuring Internal Audit Effectiveness and Efficiency, is grounded in the professional requirement that the effectiveness, efficiency, and level of customer service of the internal audit activity must be assessed and monitored vigorously. “Internal auditing can add immense value and support continuous improvement by identifying business risks and inefficiencies,” Davis says. “However, the internal audit department’s effectiveness and efficiency, itself, must be monitored in order to build and maintain the internal auditor’s credibility. This can be accomplished by establishing a performance measurement process, identifying key performance measures, and monitoring and reporting on the level of customer service provided to internal audit stakeholders,” she says. This 19-page guide describes how to establish performance measurement and monitoring processes and report the results effectively. The document’s extensive appendices, containing material such as sample internal audit performance metrics, dashboard reports, and stakeholder feedback surveys, should be of substantial value to CAEs. All IIA practice guides are strongly recommended elements of The IIA’s International Professional Practices Framework. Assessing the Adequacy of Risk Management Using ISO 31000 and Measuring Internal Audit Effectiveness and Efficiency are available to IIA members for free PDF download at: http://www.theiia.org/guidance/standards-and-guidance/. The International Organization for Standardization’s ISO 31000 framework is available at www.iso.org. COSO’s Enterprise Risk Management — Integrated Frameworkis available at www.coso.org. ### About The IIA Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association with global headquarters in Altamonte Springs, Fla., USA. The IIA is the internal audit profession's global voice, recognized authority, acknowledged leader, chief advocate, and principal educator. Members work in internal auditing, risk management, governance, internal control, information technology audit, education, and security. Media Contact Scott C. McCallum Manager of Corporate Communications & PR Tel +1-407-937-1247 Email Scott.McCallum@theiia.org

COSO Releases Two Additional Thought Papers on ERM

2011-01-11T20:29:00Z

ALTAMONTE SPRINGS, Fla. - The Committee of Sponsoring Organizations of the Treadway Commission (COSO) – an organization providing thought leadership and guidance on internal controls, enterprise risk management (ERM), and fraud deterrence – is releasing two additional new thought papers relating to ERM aimed at providing guidance to help organizations advance along the ERM maturity curve. The first thought paper, Embracing Enterprise Risk Management: Practical Approaches for Getting Started, developed by Mark Frigo and Richard Anderson of the Center for Strategy, Execution, and Valuation at DePaul University,describes how an organization can begin implementing an ERM process. It also examines perceived barriers to effective ERM and how to work through those barriers. “Starting an ERM process is a daunting task for many organizations” said Anderson. “The paper provides an action plan that can be used as a tangible tool in ERM implementation.” COSO’s second thought paper, Developing Key Risk Indicators to Strengthen Enterprise Risk Management, developed by the ERM Initiative at North Carolina State University, discusses the importance of developing key risk indicators to be used to monitor emerging risks that might affect the strategic success of the enterprise. “Key risk indicators can serve as leading indicators of emerging risks that senior management and the board of directors can monitor to ensure that they don’t negatively affect the achievement of strategic objectives,” according to Mark Beasley, Deloitte Professor of Enterprise Risk Management and Director of North Carolina State’s ERM Initiative and co-author of this thought paper. “There is a lot of current activity involving implementation and enhancement of ERM in organizations of all sizes” said David Landsittel, chair of COSO. “Given COSO’s dedication to providing ERM thought leadership, we are issuing these two thought papers with an objective of assisting organizations in becoming more robust in their risk management activities.” Copies of these thought papers can be downloaded free of charge from COSO’s web site, (www.coso.org). COSO also encourages organizations seeking to strengthen their ERM processes to consider its 2004 Enterprise Risk Management – Integrated Framework, and its previously issued survey reports and thought papers on ERM, all accessible through its web site. ### About COSO Originally formed in 1985 to sponsor the National Commission of Fraudulent Financial Reporting, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management (ERM), internal control and fraud deterrence. COSO’s supporting organizations are The Institute of Internal Auditors (IIA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), and the Institute of Management Accountants (IMA). www.coso.org About DePaul University’s Center for Strategy, Execution, and Valuation The Strategic Risk Management Lab in the Center for Strategy, Execution, and Valuation at DePaul University is an engagement platform for thought leaders and the business community to co-create and share leading practices in Strategic Risk Management and ERM. The Strategic Risk Management Lab provides executive education, collaborative research and advising on leading practices in ERM focused on linking strategy, risk management and governance, as well as university courses which integrate ERM and Strategic Risk Management into the curriculum. http://commerce.depaul.edu/sev/ About North Carolina State’s ERM Initiative The ERM Initiative in the College of Management at North Carolina State University is pioneering thought-leadership about the emergent discipline of enterprise risk management, with a particular focus on the integration of ERM in strategy planning and governance. The ERM Initiative conducts outreach to business professionals through executive education and hands-on advising; its internet portal (www.erm.ncsu.edu); research advancing knowledge and understanding of ERM issues; and undergraduate and graduate business education for the next generation of business executives. www.erm.ncsu.edu Media Contact Scott C. McCallum Manager of Corporate Communications & PR Tel +1-407-937-1247 Email Scott.McCallum@theiia.org

PCI Security Standards Council offers phone-based payments guidance

2011-03-21T09:28:00Z

The PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security ...

Data Destruction Policies – Is the data really gone?

2011-03-22T17:49:49Z

Following a year focused on preservation related instruction, we have a much better understanding of what is and is not permissible when it comes to data retention and destruction. Corporate legal departments and outside counsel should, at this point, have a set of working guidelines detailing the different steps of a litigation hold, protections provided by Safe Harbor provisions, and the legal ability to continue corporate data destruction procedures following completion of a litigation hold. At that point, it comes down to an IT exercise which can be very daunting given the potential multiple data sources and now, the additional 3^rd party service providers who may be in possession ofcontinue…

Why IT Management Frameworks Don't Guarantee IT Success

2008-03-05T05:00:00Z

It just isn't enough for your IT organization to have mature management and software development processes if the business organizations don't do their part. Companies also need an IT maturity model for the enterprise. PLUS: 5 tips to jump-start consultants and standards organizations.

Revisions to Credit Card Security Standard on the Way

2010-08-12T04:00:00Z

The Payment Card Industry Data Security Standard 2.0 will be out at the beginning of September. The standard governs how businesses must guard sensitive cardholder information on their networks.

What's Wrong with the PCI Security Standard

2010-04-29T04:00:00Z

The security standard used to protect credit cards isn't up to the task and upgrades that are planned for this fall do virtually nothing to improve it, a security expert told Interop attendees this week.

Is ERP Ready for Corporate Social Responsibility?

2010-08-19T04:00:00Z

This new ISO standard has to do with corporate social responsibility. IFS North America Senior Advisor Bill Leedale discusses how EAM, ERP and other enterprise software can help industry comply with ISO 26000.

NIST Issues Slew of New Guidance

2011-03-27T21:47:41Z

IT Products Checklist, SCAP Specs, Vulnerability Naming Schemes Guide
NIST updates its national checklist program for IT products, tech specs for SCAP and guide to using vulnerability naming schemes as well as providing a status report on its cryptographic hash algorithm competition.

New NIST Guidance Focuses on Risk Management

2011-03-27T21:47:08Z

Joint Initiative with Defense Department, Intelligence Community
Describing it as the capstone publication of a partnership with the defense and intelligence communities, NIST publishes new guidance on managing security risk associated with the operation and use of IT systems.

Court Validates Red Flags Exemptions

2011-03-27T21:46:46Z

A U.S. Appellate court decision March 4 further validates that physicians and attorneys are exempt from the Identity Theft Red Flags Rule.

Data Protection Law and the Ethical Use of Analytics

2010-11-30T16:55:35Z

The Centre for Information Policy Leadership (the “Centre”) this week issued “Data Protection Law and the Ethical Use of Analytics,” authored for the Centre by Paul Schwartz, Professor of Law, Berkeley Law School, University of California. Marty Abrams shared this paper on November 30, 2010, at the European Data Protection and Privacy Conference in Brussels and plans to present the paper on December 1, 2010, at the Organization for Economic Cooperation and Development.

The paper examines the increasing role of analytics – the use of information to make decisions and to create new products and services – in 21st century organizations. Analytics provides a way for organizations to draw on the great quantities of information in their control or available from third parties. Leading authorities on the practice of analytics refer to the phenomenon as “the extensive use of data, statistical and quantitative analytics, explanatory and predictive models, and fact-based management to drive decisions and actions.” According to the paper, analytics takes the information that entities have, or to which they can gain access, and converts the information into knowledge they can act on.

The paper argues that analytics should be considered in a manner that takes into account the risks that a specific use of analytics poses to privacy and the kind of responsible processes that should accompany such use. It considers examples of analytics in action, including multichannel marketing, fraud prevention and data security, health care research and a variety of products for direct use by individuals.

The paper identifies four distinct stages of analytics: (1) collection, (2) integration and analysis, (3) decision-making and (4) review and revision. It also proposes that responsible data processing should be tailored to the discrete stages in which analytics is used. At the same time, the paper examines the complex questions that analytics raises for data protection law modeled on fair information practices and proposes a set of ethical guidelines for the use of analytics.

Organizations participating in this project included a cross-section of leading private sector companies that currently use analytics. The paper’s ethical standards were developed through a series of interviews and a workshop involving experts from those organizations. The Centre expects that this paper will form the basis for further discussions about applying data protection to advanced analytic processes.

Read the white paper. For more information on the Centre’s projects, please visit the Centre’s website.

French Data Protection Authority Revises Authorization on Whistleblowing Schemes

2010-12-08T15:39:20Z

On October 14, 2010, the French Data Protection Authority (the “CNIL”) adopted several amendments to its single authorization AU-004 regarding the use of whistleblowing schemes (the “Single Authorization”).

Since 2005, companies in France must register their whistleblowing schemes with the CNIL either by self-certifying to the CNIL’s Single Authorization or by filing a formal request for approval with the CNIL. Companies that self-certify to the Single Authorization make a formal undertaking that their whistleblowing scheme complies with the pre-established conditions set out in this authorization. In particular, the scope of the Single Authorization is limited to the following specific areas: finance, accounting, banking, fight against corruption and compliance with Section 301(4) of the Sarbanes-Oxley Act. Under the revised framework, the CNIL has extended the scope of the Single Authorization to include the prevention of anti-competitive practices and compliance with the Japanese Financial Instrument and Exchange Act.

Furthermore, the CNIL deleted a provision of the Single Authorization that previously authorized companies to use their whistleblowing hotline to report facts that did not fall within the pre-established scope but nevertheless posed a threat to the “vital interests” of the company. This deletion complies with a French Court of Cassation decision from December of last year, in which the Court ruled that the CNIL’s Single Authorization restricted the use of whistleblowing schemes to the limited scope prescribed by it, and did not authorize extensions of such schemes to other areas.

Finally, companies that have already registered their whistleblowing schemes with the CNIL have up to six months, starting from the publication of these revisions, to comply with these new rules and amend their schemes if needed.

For more information, view the amendments to the CNIL’s Single Authorization (in French).

House Approves Social Security Number Protection Act

2010-12-09T18:17:08Z

On December 8, 2010, the U.S. House of Representatives approved the Social Security Number Protection Act of 2010 (S. 3789), which is aimed at reducing identity theft by limiting access to Social Security numbers. The bill prohibits printing Social Security numbers, or any derivative of a Social Security number, on government-issued checks, and bars federal, state and local government entities from employing prisoners in jobs that would allow them to access Social Security numbers. Although there are numerous state laws on the books to safeguard Social Security numbers, the Social Security Number Protection Act will provide federal coverage. The bill was introduced by Senators Dianne Feinstein (D-CA) and Judd Gregg (R-NH) and passed in the Senate by unanimous consent on September 28, 2010. It is now headed for signature by President Obama.

FTC Staff Issues Privacy Report Offers Framework for Consumers, Businesses, and Policymakers

2010-12-01T16:30:00Z

Endorses "Do Not Track" to Facilitate Consumer Choice About Online Tracking

European Commission Announces Intention to Strengthen EU Data Protection Rules

2010-11-19T20:06:39Z

In a press release dated November 4, 2010, the European Commission outlined its goal of reviewing and amending its Data Protection Directive to address “challenges raised by new technologies and globalisation.” The press release announces the Commission’s intention to “put forward legislation next year to strengthen individuals’ rights while also removing red tape to ensure the free flow of data within the EU’s Single Market” and sets forth a “series of key goals”, including “[s]trengthening individuals’ rights,” “[e]nsuring high levels of protection for data transferred outside the EU,” and “[m]ore effective enforcement of the rules.” The press release is entitled, “European Commission sets out strategy to strengthen EU data protection rules” and begins:

What happens to your personal data when you board a plane, open a bank account, or share photos online? How is this data used and by whom? How do you permanently delete profile information on social networking websites? Can you transfer your contacts and photos to another service? Controlling your information, having access to your data, being able to modify or delete it – these are essential rights that have to be guaranteed in today's digital world. To address these issues, the European Commission today set out a strategy on how to protect individuals' data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU. This policy review will be used by the Commission with the results of a public consultation to revise the EU’s 1995 Data Protection Directive. The Commission will then propose legislation in 2011.

To read the entire press release, click here.

Web accessibility code of practice launched by BSI - Out-Law.com

2010-12-03T13:02:37Z

Web accessibility code of practice launched by BSI
Out-Law.com
UK standards-setting body BSI has published the first British standard on web accessibility. The websites of organisations which follow the guidance will be ...