After the OPM Breach, It’s Time for IT Organizations to be Accountable

Jeff Gould by Jeff Gould, SafeGov.org
Thursday, July 02, 2015

It is time to change the rules, and hold federal IT organizations accountable for their missteps. The OPM breach, which the Obama administration says was the work of Chinese hackers, exposes every current and former federal employee to blackmail, identity theft, phishing attacks, espionage and untold other forms of harassment. While no lives have been lost, the OPM attack is undeniably a national catastrophe whose consequences will be felt for years to come.

Agencies are taking the right steps to protect data

Karen Evans by Karen Evans, KE&T Partners
Wednesday, July 01, 2015

The Office of Personnel Management's Electronic Questionnaires for Investigations Processing system is offline now after the agency says it found a security vulnerability. The site will be offline for four to six weeks. OPM hasn't said the discovery came out of the 30-day cyber sprint called for by federal CIO Tony Scott. Karen Evans, executive director of the U.S. Cyber Challenge and former e-gov administrator at the Office of Management and Budget, is watching the agencies respond to Tony Scott's call. She tells In Depth with Francis Rose, how the OPM breach is changing the way agencies protect their data.

Congress shouldn't overlook FedRAMP funding in 2016 budget

Julie Anderson by Julie Anderson, AG Strategy Group
Friday, June 26, 2015

FedRAMP is charged with standardizing security assessments for cloud systems across government. While underappreciated, these standardization efforts are vital to improving the security of government data.

Measuring MLAT

H. Bryan Cunningham by Bryan Cunningham, Cunningham Levy LLP
Friday, June 19, 2015

Measuring a problem is a first step to solving it. Many, myself included, have identified problems with the “Mutual Legal Assistance Treaty” (MLAT) system used by one country to retrieve admissible criminal evidence stored in another. Based on formal international agreements, a country needing evidence (the “requesting country”) under the control of another country (the “responding country”) transmits a written request to the responding country on behalf of state or federal prosecutors in the requesting country. The responding country reviews the request and, if so inclined, secures the evidence under its own laws and, finally, transmits the evidence back to the requesting country. Anecdotal evidence, including the experience of state and federal prosecutors in the United States, suggests that the MLAT process can be slow and cumbersome.

US To China: Do As We Say, Not As We Do

Paul Rosenzweig by Paul Rosenzweig, The Chertoff Group
Thursday, June 18, 2015

Is America as authoritarian as China? Surely not. And yet sometimes the differences can be hard to discern. A case in point is their similar approaches to one aspect of criminal law, the lawful intercept rules for telecommunications; approaches that a new study by the American Enterprise Institute characterizes as the imposition of a double standard.

Privacy: The weak link for video security

Karen Evans by Karen Evans, KE&T Partners
Thursday, June 18, 2015

The collection and analysis of video data has become the norm. However, storing sensitive information is currently regulated by outdated security standards—or by no standards at all—that do not offer the necessary protections to prevent hackers or bad actors. Law enforcement, led by the IACP, is addressing this issue head-on with its recently released guidance on video data and cloud computing. The guidelines focus on law enforcement's operational needs and, most importantly, ensure the security of systems and video data. As the updated guidelines state: "Recent calls for the expansion of data collection by law enforcement officers through, for example, the use of body-worn cameras and other sensor devices, only serve to reemphasize the need for clearly articulated policies regarding cloud-based data storage."

IACP Releases Updated Guidance On Police Bodyworn Camera Video Data Storage

Bradley Shear by Bradley Shear, Law Office of Bradley S. Shear
Thursday, June 18, 2015

The International Association of Chiefs of Police (IACP) recently published their "Guiding Principles on Cloud Computing in Law Enforcement". These principles are much needed because as more digital video evidence is created by law enforcement, the proper safeguards must be in place to ensure that the data is stored in an appropriate manner for the legal justice system.

A New—Cloud—Seal of Approval

Julie Anderson by Julie Anderson, AG Strategy Group
Wednesday, June 17, 2015

By procuring technology platforms that are compliant with ISO 27018, school districts can further protect the privacy of students. Just as a Good Housekeeping Seal of Approval signals to consumers the quality of a product, technology platforms labeled with the phrase “ISO 27018 compliant” provides peace of mind to parents, teachers, and schools.

Striking a Much-Needed Balance on Data Access

Julie AndersonKaren Evans by Julie Anderson, AG Strategy Group
Karen Evans, KE&T Partners
Wednesday, June 17, 2015

As two appointees who have served in different presidential administrations, we don’t see eye to eye on every issue. But we do share common ground in our support of the Law Enforcement Access to Data Stored Abroad (LEADS) Act. The bill is a bipartisan opportunity to improve international law enforcement practices while protecting the privacy of individuals at the same time.

Factor Compliance into Wearable Tech Plans

Julie Anderson by Julie Anderson, AG Strategy Group
Monday, June 15, 2015

More employers are considering whether to encourage or even require employees to use wearables to reduce workplace injuries, lower workers’ comp claims and even lower health care benefit costs. But they should take note: any potential exposure to workers’ private health information could subject employers to rules under the Health Insurance Portability and Accountability Act (HIPAA). Wearables such as Google Glass, smart safety helmets and any number of sensor-enabled devices can identify hazardous conditions on worksites such as toxic chemical fumes or equipment under excessive pressure. Employers are also looking into clothing that carry embedded biosensors, actuators and gyroscopes to follow movement, heart rate, stress level, fatigue, and countless other metrics … all of it connected wirelessly to mobile devices and computers. But can the use of such devices expose employers to claims of HIPAA violations? What kind of due diligence will they need to do in order to ensure that their use of wearables can’t come back to haunt them later? Julie Anderson, a principal at AG Strategy Group in Washington, D.C. said this is a murky area as policy always lags behind the development and use of technology. HIPAA was passed in 1996, and nine years later in 2005 HIPAA released its first privacy rule as it related to health care data. In 2013 those rules were updated. “It’s a complex set of issues, and it can take that long for policymakers to react to what’s happening in the marketplace, particularly regarding how health care entities are using technology and handling the data they collect,” Anderson said.