Nearly a year ago, the federal government announced its new Cyberscope online application for reporting agency information associated with the Federal Information Security Management Act (FISMA). In more detailed subsequent guidance issued in April through Memorandum M-10-15, OMB Deputy Director Jeffrey Zients, Federal CIO Vivek Kundra, and Cybersecurity Coordinator Howard Schmidt put agencies on notice that they would be required to begin submitting FISMA reports online using Cyberscope by November 15. Now, with that deadline just six weeks away, results a survey of federal CIOs and CISOs conducted by MeriTalk on behalf of several security vendors suggest that few agencies are yet familiar with the tool or its associated reporting requirements, and that lack of familiarity also translates to uncertainty about what impact the new approach or the new reporting requirements may have on federal information security.
Results reported from the survey include that just 15 percent of those surveyed (15% of 34 = 5 individuals) had actually used the Cyberscope tool, despite the fact that it has been available for months. Perhaps unsurprisingly, large proportions of the majority of survey respondents who had not yet used the application did not have a clear understanding of either the mission and goals for Cyberscope or of the specific reporting requirements for which these same respondents will soon be held accountable. If it seems a bit unrealistic to expect executives whose agencies have not begun evaluating or working with the tool to have informed opinions about how well it will work, bear in mind that OMB’s plan for FISMA reporting is to have agencies move to a monthly (rather than the current quarterly) report submission beginning in 2011, and any agency that hasn’t started planning to satisfy that requirement seems likely to have trouble meeting it. Ironically, the intention is for Cyberscope to ease the reporting burden on agencies, by automating monthly data feeds from agency FISMA management tools to Cyberscope. For agencies using the Cyber Security Assessment and Management (CSAM) system hosted by the Justice Department, the migration to automated reporting should be a relatively straightforward task given that the key information is already stored in a central location in a consistent format. However, any agency that assumes that Cyberscope won’t require any significant changes in their information security program management are likely to be in for a disappointing winter on the FISMA reporting front.
Credit reporting services giant Equifax announced yesterday that it has completed an acquisition of privately-held security software company Anakam, whose identity management and strong authentication technologies will presumably enhance Equifax’s solution set in the identity space, particularly with respect to online identity proofing and verification services. Equifax already offers a set of identity verification services to consumers and businesses, leveraging the vast stores of information it maintains on most U.S. citizens, so the addition of Anakam’s products may enable the company to offer a single solution for online identity proofing, verification, and authentication. It will be interesting to see what level of identity proofing the company might be able to achieve with an enhanced set of products and services. In the government arena, where online services and applications are subject to federal e-authentication rules described in NIST Special Publication 800-63, the more sensitive the information is that is handled and made available by the application, the more stringent the user authentication requirements are, and the tougher it is to meet initial identity proofing standards (at e-authentication level 4, online in-person ID proofing is permitted).
Anakam’s approach is notable for its ability to provide two-factor authentication without the use of hard tokens, instead leveraging cellular telephones or other devices that end users typically already have an carry with them. Eliminating hard tokens is seen as a practical necessity for managing strong user authentication across very large or diverse user populations, and alternatives to approaches that necessitate token distribution have been sought in banking, healthcare, government services, and other industries. Anakam was a participant and technology provider for the Nationwide Health Information Network (NHIN) Trial Implementations, working with a group led by southeastern regional health information exchange Carespark. Health data considered sufficiently sensitive that it should warrant protection using strict access controls such as strong authentication, but few public or private sector organizations want to take on the task of managing the distribution to customers of smart cards or other physical tokens often used to supplement usernames and passwords for user authentication.
In June, we noted with interest a California federal district court ruling in Crispin v. Christian Audigier that provided an interpretation of the status of social networking sites under the Stored Communications Act (18 U.S.C. §121) that found that Facebook, MySpace, and other services should be considered “electronic communications services” under the definition in the SCA, and used that determination to quash several subpoenas issued in a copyright infringement case that sought the disclosure of private messages, user posts, and other information communicated by a user of the sites. As electronic communication services, social network operators are prohibited under the SCA from disclosing “to any person or entity the contents of a communication while in electronic storage by that service” (18 U.S.C. §2702(a)(1)). Where the SCA provides several legal avenues by which government entities can request the disclosure of such information, parties to civil suits such as the one in this case have no such standing, and the subpoenas issued in this civil matter therefore did not provide a means to overcome the statutory restricts on disclosure.
In marked contrast to the district court ruling, the New York Supreme Court last week issued a ruling that ordered an individual’s Facebook and MySpace postings to be provided as discovery in a civil lawsuit. The judge in this case, Romano v. Steelcase, did not consider the constraints imposed by the SCA at all, despite the statute being cited as justification for refusing disclosure. Instead, the majority of the legal reasoning in the ruling addresses the scope of permissible discovery under New York State law and the extent to which the social network site user has a reasonable expectation of privacy with respect to content posted to their profile pages. The judge’s determination that the user does not have such an expectation of privacy was the result of applying prevailing Fourth Amendment doctrine, despite the fact that party seeking the disclosure is not a government entity, but a corporation. The New York court also apparently chose not to take into account the privacy settings Romano had in place for her accounts, possibly because those settings already permitted some potentially relevant information to be publicly accessible.
Courts trying to apply the provisions of the SCA, which was enacted in 1986 as part of the Electronic Communications Privacy Act (ECPA) and modified in 1994 through the Communications Assistance for Law Enforcement Act (CALEA), often seem challenged to fit the law to suit issues arising with more modern technologies and services. For its interpretation of SCA, the court in the Crispin case relied not only on precedents from judicial rulings (including the Ninth Circuit opinion in Quon v. Arch Wireless) but also on books and relevant law journal articles from professors with expertise in this area of the law. In its analysis of the applicability of the SCA, the district court considered both private messages send through the social networking sites and posts on user pages (like a user’s Facebook wall), analogizing the former to web-based email and the latter to non-public electronic bulletin boards, and thus managed to tie contemporary Internet services to logical technical equivalents that were in use at the time the law was passed. That potential sign of progress notwithstanding, the order in the Romano case prompted a Wall Street Journal Online blog post that offered a cautionary note to New York residents not to assume that anything they post to social networking sites is protected from discovery.
The United States Supreme Court today granted a petition of certiorari filed by the federal government, seeking to overturn a ruling by the 3rd Circuit Court of Appeals that allowed AT&T to prevent the disclosure of documents held by the Federal Communications Commission (FCC) related to a 2004 investigation. The release of the documents was sought by telecommunications trade association CompTel, through a request made under the Freedom of Information Act (FOIA, 5 U.S.C. §522). In seeking to block the disclosure, AT&T has argued that releasing the documents would result in an invasion of personal privacy, and therefore renders the disclosure requirements in FOIA inapplicable. The argument hinges on AT&T’s contention that as a corporation it is a “person” in the legal sense of the term, and so should enjoy the same protection from invasions of privacy that individuals do. The Circuit Court accepted AT&T’s interpretation of “person,” noting that the company’s position is fully consistent with definitions in the U.S. Code — Title 1, for instance, states that “the words ‘person’ and ‘whoever’ include corporations, companies, associations, firms, partnerships, societies, and joint stock companies, as well as individuals” (1. U.S.C. §1).
Given the statutory language, it’s hard to argue with the reading or the consideration given by the 3rd Circuit, although that interpretation is the sole question presented in the government’s petition: “Whether Exemption 7(C)’s exemption for ‘personal privacy’ protects the ‘privacy’ of corporate entities.” Aside from its inclusion in Title 1, similar definitions for “person” appear in other statutes, such as the one used in the context of wire and electronic communications: “‘person’ means any employee, or agent of the United States or any State or political subdivision thereof, and any individual, partnership, association, joint stock company, trust, or corporation” (18 U.S.C. §2501). The administration has argued that, at least with respect to FOIA, AT&T’s actions to block disclosure is the first time in the history of the law that the personal privacy provisions have been applied to a corporation. That fact notwithstanding, where literal interpretations of U.S. laws do not give any indication that Congress intended to have the law applied in a way other than what the law says, federal courts in general and the Supreme Court in particular have historically been unwilling to re-interpret statutory language unless is it too ambiguous to be applied consistently. Ambiguity does not seem to be at issue here, but rather whether the statutory language matches the intent of the legislation; such discrepancies are rarely resolved by the Court, which prefers to leave it to Congress to revise its legislation if its use as enacted subverts the purpose of the law.
HealthcareInfoSecurity.com‘s Howard Anderson and others last week covered an indictment filed in Pennsylvania against a man who allegedly used his authorized access (as a hospital employee) to patient records to steal names, dates of birth, social security numbers, and other personal data from patient health records and using them to file false tax returns. Much of the reporting on the incident has focused on the HIPAA violations of the alleged actions, the HITECH-strengthened criminal and civil penalties for which could theoretically result in millions of dollars in fines and a lengthy prison sentence. While the HIPAA-based prosecution is certainly noteworthy, the facts of the case as reported in the media suggest that the man has likely also violated federal and Pennsylvania identity theft laws, including the Identity Theft and Assumption Deterrence Act and section 4120 of the Pennsylvania Crimes Code (18 Pa. Cons. Stat. ยง4120), and could therefore be subject to additional charges and penalties under the authority of the FTC and other government agencies. Under enhanced civil and criminal enforcement provisions enacted with HITECH, the potential clearly exists for prosecutions for HIPAA violations to become routine, in market contrast to the almost complete absence of such prosecutions under HIPAA in the past.