New Jersey’s new chief technology officer has announced plans to boost data security by ramping up compliance monitoring in the state. In other GRC news, the Consumer Financial Protection Bureau has proposed exempting certain financial institutions from the annual privacy notice requirement under the Gramm-Leach-Bliley Act; and the FTC says it closes 70% of its data security investigations.
New Jersey CTO aims to boost security by focusing on compliance
David Weinstein, New Jersey’s newly appointed CTO, said he plans to enforce security standards and policies with “more teeth” and to better monitor compliance across state agencies.
Weinstein will report to New Jersey governor Chris Christie. He was appointed to the cabinet-level position in late June after his tenure as the state’s CISO.
Weinstein’s office plans to employ GRC software to monitor compliance, publish cloud security governance standards, update IT risk management policies and develop new security assessments for high-risk agencies, such as those that store a high volume of PII.
“We’re really focused on embedding security not just into the culture of our IT operations but also the way we do business and develop applications and infrastructure,” Weinstein told Wall Street Journal.
Weinstein also has his sights set on wider cloud computing adoption.
CFPB proposes exemptions to GLBA annual privacy notices
The Consumer Financial Protection Bureau (CFPB) has proposed a rule that would implement amendments to privacy protections outlined in the Gramm-Leach-Bliley Act. Under the GLBA, certain financial companies are required to give their customers initial and yearly notices on their privacy practices, including how they share customers’ nonpublic personal information. These companies must also notify their customers of their right to opt out of allowing the companies to share their personal information with unaffiliated third parties.
Congress amended GLBA in December 2015 to allow some financial institutions to be exempt from sending the annual privacy notices, and the CFPB’s new proposed rule would make these exemptions official.
According to a July 1 press release by the CFPB, a financial institution can claim exception to the requirements “if it limits its sharing of customer information so that the customer does not have the right to opt out and has not changed its privacy notice from the one previously delivered to its customer.”
FTC has a 70% closure rate of data security investigations
The Federal Trade Commission closes 70% of data security cases, according to Maureen Ohlhausen, the agency’s commissioner. Ohlhausen detailed the FTC’s enforcement practices at a recent panel on security regulation in Washington, D.C., late last month. This closure percentage pertains to breach investigations that have actually been formally opened by the FTC, said Ohlhausen, who pointed out that the agency doesn’t formally investigate every data breach.
The reasons the FTC closes a case, according to Ohlhausen, include the commission having deemed a company’s security strategy “reasonable.”
“A company’s data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operation, and the cost of available tools to improve security and reduce vulnerabilities,” the Commissioner explained.
Ohlhausen also said that the FTC is still trying to establish how it should interpret certain standards, particularly how PCI DSS regulates and controls payment card data.