Tuesday, January 29th, 2008
Jaikumar Vijayan |
Computerworld.com
January 29, 2008 (Computerworld) What do Fallon Community Health Plan, Pennsylvania State University, OmniAmerican Bank and T. Rowe Price Group Inc. all have in common?
Each of them recently joined the seemingly never-ending parade of organizations that have disclosed security breaches resulting in the potential compromise of personal data.
Leading the pack in terms of the number of data records known to be involved was T. Rowe Price. Two weeks ago, the Baltimore-based investment management firm’s retirement plan services group began notifying about 35,000 current and former participants in "several hundred" plans that their names and Social Security numbers might have been compromised, a company spokesman confirmed today.
The spokesman said that the possible breach resulted from the theft of computers containing the data from the offices of CBIZ Benefits and Insurance Services Inc., a third-party services provider that was preparing tax-related forms on behalf of T. Rowe Price. The theft took place during the last week of December, he added.
T. Rowe Price is offering one year’s worth of free credit monitoring services and up to $25,000 in identify theft insurance to the individuals whose personal data was on the stolen systems, the spokesman said.
Meanwhile, a similar laptop theft that also took place in late December may have compromised the names, birth dates and some health care data of about 29,800 members at Fallon Community Health Plan, a Worcester, Mass.-based medical provider and insurer.
A spokesman for Fallon said that the laptop was stolen from the offices of a third-party services provider, and that the data stored on the system doesn’t appear to have been either encrypted or password-protected. But the fact that other equipment was taken along with the laptop may be an indication that the thieves were after the systems and not the data on them, the Fallon spokesman said.
Like T. Rowe Price, Fallon is offering one year’s worth of credit monitoring to all of the members of its Fallon Senior Plan and Summit ElderCare health plans who were affected by the breach. In cases where it’s needed, the credit monitoring services will be extended to two years, the spokesman said, adding that all of the affected plan members have been notified of the incident.
In the third incident to make the news over the past few days, Fort Worth, Texas-based OmniAmerican Bank said that it had been forced to impose unspecified restrictions on ATM and debit card transactions after hackers broke into its systems.
In a prepared statement, the bank said that it has also implemented a series of new "communications and security measures" in response to attempted fraudulent activity stemming from the break-in last week. It didn’t specify what those measures were, and a call to the bank seeking further comment wasn’t immediately returned.
In addition, OmniAmerican said in the statement that it is issuing new debit cards and personal identification numbers to its customers as a precaution against future fraud.
The bank didn’t disclose the number of cards that are being blocked and reissued. But a story posted last Thursday by the Fort Worth Star-Telegram newspaper that quoted OmniAmerican’s president said that the bank was reissuing about 40,000 cards and that the system break-in was the work of an international gang of cybercriminals.
In comparison to the other incidents, the breach reported by Penn State appears to have been much smaller in scope. According to a statement posted on the university’s Web site last week, a laptop computer containing personally identifiable information on 677 individuals who attended Penn State between 1999 and 2004 was stolen from a faculty member.
The theft occurred while the faculty member was traveling and appears to have been a random theft of hardware, the statement noted. The university said that it currently is in the process of notifying the affected individuals.
Posted in General | No Comments »
Monday, January 28th, 2008
Weston, FL, January 21, 2008 – Ultimate Software (Nasdaq: ULTI), a leading provider of end-to-end strategic human resources, payroll, and talent management solutions, today announced it has received ISO/IEC 27001 certification. Ultimate Software joins the exclusive ranks of the few U.S. companies that have achieved this distinction and is the first human resources and payroll software-as-a-service provider to be awarded ISO/IEC 27001 certification. The ISO/IEC 27001 certification is achieved through a rigorous independent audit of a service organization’s technology, processes, and people. Ultimate Software received the ISO/IEC 27001 certification for its on-demand HR/payroll software-as-a-service, Intersourcing.
“To date, less than 60 U.S. companies, mostly in the telecommunications, IT, finance, and healthcare industries, have attained ISO/IEC 27001 certification,” commented Bill Hicks, CIO and senior vice president of Shared Services, Ultimate Software. “We’re delighted to be the first human resources/payroll SaaS company that has been ISO/IEC 27001 certified. It underscores our commitment to best practices and the highest standards of excellence. It has always been our objective to create a secure, sophisticated IT infrastructure. The safety and integrity of our clients’ data is our highest priority. This certification allowed us to audit and validate our processes, so we’re very pleased.” ISO/IEC 27001 is a global industry standard created by the International Organization for Standardization and the International Electrotechnical Commission that validates organizations that have implemented a sound and secure information security management system. The certification verifies an organization has a commitment to preserving the confidentiality, integrity, and availability of its information assets; has implemented adequate and proportionate security controls to protect its information assets; and is continually monitoring and improving the quality of its overall information
security management system.
“It’s critical to me that I partner with a human resources software provider who puts as strong a value on managing risk and protecting sensitive personnel data as First Horizon does,” said Karen Sones, senior vice president of human resource operations for First Horizon National Corp., one of the nation’s largest bank holding companies and an Ultimate Software Intersourcing customer. “In a time when so many companies are scrambling to keep up with security and compliance issues, we congratulate Ultimate Software for its forward-looking approach and commitment to protecting one of the most valuable customer assets – information.”
“By earning ISO/IEC 27001:2005 certification, Ultimate Software is further demonstrating its commitment to information security,” said Gary Pearsons, president of BSI Management Systems. “To be among the first companies in North America to achieve this is a real achievement. By formalizing their management system and using ISO/IEC 27001:2005 as an extra set of eyes, Ultimate Software, will be able to improve security and continually assure customers that they are doing everything they can. The company’s employees are committed and use well-organized processes – ISO/IEC 27001:2005 certification can only serve to improve an already top-of-the-line business.”
Posted in General | No Comments »
Friday, January 25th, 2008
Navigating regulatory compliance in a global market
An excerpt of a Quality Digest article by Rory Granros
When regulatory compliance and risk management come to mind, they usually evoke feelings of fear, uncertainty, and doubt as to how well an organization is prepared for government scrutiny or any worst-case business scenario. Questions arise, such as: Have we developed the proper procedures to ensure product compliance? How can we measure and actually know if we are within the regulatory guidelines? Do we have “proof of absence” or are we at risk from “absence of proof” by market and regulation? Do our systems help or hinder us?
The consumer recalls in 2007 are prime examples of how compliance and risk management go well beyond internal operations to span the entire supply chain. A comprehensive strategy includes three dimensions:
- An internal dimension comprising variables manufacturers can control
- An external dimension, which includes factors outside manufacturers’ control
- A customer dimension, encompassing supply-chain factors that manufacturers can influence
While it’s common for companies to firefight internally to meet compliance mandates, it’s critical to involve and consider all constituents as part of the compliance strategy. Equally important is to recognize that compliance and risk management aren’t projects, but rather are processes that must be monitored and adjusted on an ongoing basis. To meet emerging corporate responsibility and compliance mandates, companies can no longer afford the cost and risk of being reactive and the increased risk associated with “absence of proof” strategies. They must incrementally move to an active, and eventually proactive, compliance plan that is built into all processes and products, and ensures the “proof of absence” to regulatory exposure.
The compliance mandate
Over the past few decades, the pace of introducing new government regulations and compliance guidelines has accelerated significantly and is unlikely to slow down. Partially as a result of consumer demand for economic, environmental, and social responsibility, the burden of safety is shifting from governments to manufacturers. Additionally, mounting pressure driven by special interest groups has led to the creation of many new laws that put tighter restrictions on manufacturers. These new restrictions and laws have increased costs and have mandated changes at all levels, requiring that companies retool at the plant floor level, reevaluate materials and suppliers, and reexamine how products are introduced and marketed. Companies often respond in an ad hoc manner. The proliferation of compliance and risk management concerns requires that companies build a strategy encompassing the three primary influences—internal, external, and customer dimensions.
READ MORE!!!
Posted in General | No Comments »
