Tuesday, June 15, 2010


Welcome to http://www.regitulation.com/, my new blog that will focus on issues of data security, privacy, and the regulatory environment. I hope to make it a place for me to post my opinions, and to share interesting news with colleagues who follow me on LinkedIn or elsewhere. This blog is a personal endeavor and I speak for myself only.I have brainstormed some topics that I would like to post on in the coming weeks to get the blog started. Let me know if you have favorites you would like me to cover, whether on this list or not.

· Whistleblowers – The recent dustup over Wikileaks and the Google researcher disclosure of a 0day attack before Microsoft had released a fix. I have an idea to create an institutional ‘leak’ process that balances interests, and would love to hear what people think of it.

· Sunk Costs – When is it time to kill a project? How much is too much invested to quit? (short answer: none)

· PCI – Is Visa a de-facto regulator of business? How does this apply to community banks and other FI’s? Have there been any enforcement actions?

· Baucher Privacy Bill – The futility of a strong privacy philosophy, and my opinion regarding the need to embrace limited, practical regulation of sensitive data coupled with a cultural shift to embrace the permanency of identity information, for better or worse.

· Public Safety Data network – I will examine the FCC’s proposal to build a public safety radio network. Who builds it? Who benefits from it? Who pays for it?

· HIPAA / HITECH – Why does the health care industry spend so much money to comply with these toothless standards when such little regulatory enforcement exists?

· Data Breaches and Litigation – The FTC has been litigating several civil suits lately based on data breaches where the company did not have ‘reasonable security’. What is reasonable security? Are all companies required to have it? Will the FTC end up being a regulator for IT across the country? Do we need a national data breach reporting law to replace the many state statutes that exist now?

· Online Fraud – Internet banking fraud has gone through the roof in 2009 and now in 2010. I’ll examine the need to improve authentication (out of band!), monitoring, and other controls. I’m especially interested in whether the FFIEC produces a mandate in 2010 or 2011. I’ll point you to some interesting stories about this growing problem.

· Credit Freeze State Legislation – Oregon passed a credit freeze law a few years ago, and I have used it. How has it worked out? Is it something that could go national? Is it effective? Is it convenient? How does it compare to credit monitoring services, or manual monitoring using the Annual Credit Report? Who should pay for these services?

· FTC Red Flag Rule - Will it ever go into effect? Will it be toothless? Or will it be costly?

· E-Discovery – Is the concept of a personal custodian of records dead? Will courts expect companies to retain all records electronically, in a searchable and protected form?

· Cloud Computing – Is security in the cloud adequate for major businesses or government? How can you gain assurance that your data is protected? How is your data segregated from others?

I hope to update this blog about once per week. I hope you will find it informative and fun. Please consider signing up with your favorite RSS reader (like Google Reader), or using the FeedMyInbox link on the right hand side of the page to get an email whenever I update.