If your browser cannot read HTML, please read the online version.

NCX Group Security Update
 

If your Internet provider filters incoming e-mail, please add ncxgroup.com to your list of approved senders to make sure you receive NCX Group Security Updates.

  
  NEW DATA BREACH COMPLIANCE RULES FOR RETAILERS IN CALIFORNIA
An amended version of the Consumer Data Protection Act, or AB 1656, is sure to be signed by Governor Schwarzenegger after the California State Assembly approved it by a 74-1 margin.

After being vetoed last October, it is now back on the Governor's desk, but with a major clause removed that would have required retailers to reimburse financial institutions for all costs of credit and debit card replacement related to a data breach. Retailers' opposition to the bill was that they already pay for fraud-related costs upfront via the interchange fees they are assessed by credit card companies on each transaction and it would put a tremendous burden on smaller merchants.

Too many retailers maintain customer data they do not need, which provides a prime target for ID thefts. So far this year, the number of stores that have reportedly failed to safeguard customer's private information has spiked from the numbers in 2007. California lawmakers hope that AB 1656 will provide the increased transparency needed by retailers and require that those who store your personal information take responsibility for their security measures should information end up in the wrong hands.

CSOs, take heed. This data breach bill would require retailers and organizations that accept payment card transactions or handle them to take specific precautions for protecting cardholder data. Below are main components of this new bill:

It prohibits merchants from storing, retaining, sending, or failing to limit access to payment-related cardholder data even if the information is encrypted. Account numbers, verification codes or personal identification numbers cannot be retained.
  ISSUE: September 2008
  Subscribe to Security Update Envelope Graphic
2008 Reported Data Breaches
Keep yourself updated on the latest security breach disclosures
Picture of network with vulnerabilities
NCX Vision
See What You've Been Missing

Learn More here >>
Picture of SOC
Looking for
Managed Security Services?

Call us at 888-448-5451
or contact us below
To have an NCX Group Representative Contact You
Email us here
 
Formal data retention and disposal policies for limiting the amount of cardholder data retained and the length of time it is stored would be required.
All credit and debit card data transmitted over public networks would need to be encrypted.
Businesses that suffer breaches would have to inform card-issuing banks about the kind of data that was compromised and provide a toll-free phone number or some other type of contact, such as an email address, for answering breach-related questions from consumers.
Notification to the Office of Information Security and Privacy Protection must also be provided if substitute notice is utilized.
Limit access to payment-related data to only those employees whose job requires them to see payment-related data
Recurring payments are allowed only payment-related data needed to process, which is subject to PCI DSS guidelines.

For an inside look at the new rules, visit AB 1656. As more stringent legislation is enacted, businesses need to be prepared and know where their data risks reside. You can rely on NCX Group's expertise to help you adhere to security legislation and remain compliant.


NEVADA PASSES FIRST DATA ENCRYPTION LAW
Nevada has passed a new law that, as of October 1, 2008, requires Nevada businesses to encrypt all electronic transmissions of a customer's personal information if the information is sent outside "the secure system of the business."

While the new law requires the encryption of personal information during transmission, it does not require businesses to encrypt the same information while it is being stored on servers, laptops, backup tapes, and the like. Nonetheless, the data breach notification law requires notification of individuals when their personal information is not encrypted and has been the subject of a security breach. Personal information is defined as a person's first name or first initial and last name, combined with either the person's (1) Social Security number, (2) driver's license or identification card number, or (3) account number, credit card number, or debit card number, combined with any required security code, access code, or password that would permit access to the person's financial account.

Many states offer a safe harbor for data that has been protected by encryption, but Nevada's is believed to be the first law flatly requiring encryption of transmitted data. The new law is said to supplement and not replace or modify Nevada's current data breach notification law. It also does not expressly provide for penalties or remedies yet suggests that violation of the law could be argued to be evidence of negligence or other wrong-doing in a civil lawsuit against the company in the event a customer is damaged as a result of a failure to comply with the law.

For more information about NCX Group's services or for a free consultation on how our experts can help you secure your data at a price that will fit your budget, call us at 888-448-5451 or request a representative to call you.

NCX Group, Inc. is a leading information risk management firm specializing in the assessment and mitigation of risk associated with today's technologies and business processes.
 
NCX Group, Inc.
5000 Birch Street, West Tower, Suite 3000
Newport Beach, CA 92660
888-448-5451
Copyright ©2008 NCX Group, Inc. All rights reserved.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
If you do not wish to receive future NCX Group Security Updates, please email us here