It’s more likely, say experts,  that most companies don’t disclose even very successful hacking attacks, because they never find out about them or just don’t want to spook investors, customers or business partners.

Whatever the reason, the problem’s widespread and, if not checked, could lead to fines and other penalties an organization would rather avoid. And it’s likely up to finance to make sure that doesn’t happen, because in most organizations these days, IT reports to finance, which (with the help of legal) contends with the SEC.

Despite recent guidance from the federal government explaining when publicly traded companies must disclose details about information security incidents, many companies are failing to do so, according to a new report.

Last October, the Securities and Exchange Commission (SEC) issued the  guidance, detailing how and when affected companies need to report data breaches.

However, the majority of businesses still aren’t reporting those incidents, according to a recent investigation by Reuters.

The news organization looked at more than 2,000 filings since the SEC’s guidelines were issued. Though some companies had included new information about cybersecurity risks and incidents, many firms that are known to have suffered breaches did not report them.

For example, defense contractor Lockheed Martin suffered an attack last May, but did not include any information about the breach — or about cybersecurity risk in general — in its most recent 10-Q quarterly filing, Reuters reports.

The SEC’s guidelines, which clarified existing rules rather than creating new ones, says information about some security attacks and the significant risk of future incidents should be included in companies’ standard disclosure material. Companies should report attacks if they:

1. Have a material effect on the organization’s financial condition (if profits are lost, for example)
2. Could result in reported financial information no longer being accurate, or
3. Require the company to materially increase its security expenditures.

The post Who’s thumbing their nose at SEC data breach rules? appeared first on Finance Tech News.

Don’t worry, this isn’t generally bad news for employers or workers. When was the last time news from the IRS fell into that category?

The IRS has decided that the value of employer-provided cell phones, even if partly used for personal calls,  is exempt employees’ wages.

According to IRS Notice 2011-72, the tax agency ruled that if an employer provides an employee with a cell phone “primarily for noncompensatory business purposes,” the cell phone will be treated as a “working-condition fringe benefit,” and the value of the cell phone usage will be excluded from the employee’s wages.

The agency defines  “noncompensatory business purposes” as including, but not limited to:

• the employer’s need to contact the employee at all times for work-related emergencies
• the employer’s requirement that the employee be available to speak with clients at times when the employee is away from the office, and
• the employee’s need to speak with clients located in other time zones at times outside of the employee’s normal work day.

IRS has also recognized that employer-provided cell phones can be used to promote the morale or goodwill of an employee and to attract applicants while still being considered noncompensatory, meaning the phones amount to a nontaxable de minimis fringe benefit. IRS has grandfathered in phones issued on or after January 1, 2010.

In 2010, under the Small Business Jobs Act, cell phones had already been removed from the definition of “listed property,” meaning they no longer required exacting documentation and substantiation to qualify as a business expense. The act, however, hadn’t resolved whether cell phones are a taxable fringe benefit. That’s been settled by the latest ruling.

To see all the details of IRS Notice 2011-72, go here.

The post IRS has new rules for workers’ cellphones appeared first on Finance Tech News.

Top of the list: using minimal types of “layered security” and fraud monitoring to guard against the rising tide of cybercrime.

The recommendation for multi-factor authentication for business customers should be a no-brainer for any institution handling other folks money, but the feds obviously found that some banks don’t bother. And the guidelines tell banks that two elements of authentication is a minimum.

The rules come from Federal Financial Institutions Examination Council (FFIEC) and you can can visit their website to download a pdf of the new guidelines.

Be aware: The FFIEC says bank examiners will be checking up on whether these guidelines are being followed as of January 2012. That’s six months from now, in case you don’t have a calendar handy.

The post Banks get new online security rules appeared first on Finance Tech News.

Like many states, North Carolina’s looking to gather up some lost tax revenue in these dreadful economic times. They requested records from Amazon for sales made to state residents so they could go after some of that money. For now, they’ll have a tough time collecting it.

Amazon doesn’t have to collect sales tax in the state because it maintains no facilities in North Carolina. But shoppers are supposed to pay a tariff  under the state’s use tax that applies to anything “purchased or received” through the mail.

The tax collectors wanted records on about 50 million purchases made between 2003 and 2010 so they can start sending out some bills.

But a federal judge has now ruled that reporting on the books and movies Amazon shoppers purchased violates customers’ rights to privacy.

The ACLU jumped into the case on Amazon’s side. Giving the government details about what books and movies Americans buy or sell, they argued, was a violation of the First Amendment.

The post Amazon fights off tax cops, for now appeared first on Finance Tech News.

Well, that would be the Federal Trade Commission, which yesterday published some rules for bloggers. The bottom line: If the blogger accepts payment or free products from the folks they write about, they have to own up to it.

The commission’s job is to protect consumer interests, but it’s been almost 30 years since they updated their guidelines on product endorsements. In many ways, they didn’t have to. Newspapers and magazines erected what amounted to a “Berlin Wall” between advertisers and the editorial department.

Reporters and columnists were strictly prohibited by their companys’ ethics policies from accepting payment or freebies. Violating the rules meant being fired and losing your career — not something many journalists were willing to risk.

All this has been replaced by the proliferation of “experts” on the Web who now shape consumer tastes. Chief among them are a group of stay-at-home moms who blog obsessively about products they use. These “Mommy Bloggers” have become a big force in sales and marketing, and many of them have been raking in payments and free samples for their efforts.

Until now, they didn’t have to own up to the arrangement.

But with the new FTC rules, they’ll have to — or face up to an $11,000 fine.

The same goes for celebrity endorsements and advertising “testamonials” — you know, those folks who say they lost 8 bazillion pounds kick boxing or eating prepackaged meals.

To read the FTC’s announcement and the new rules, visit the FTC Web site here.

The post FTC cracks down on ‘Mommy blogger,’ celeb endorsements appeared first on Finance Tech News.

Depending on their industry and regulatory environment, IT leaders will need to be aware of the intricacies of XBRL, IFRS, PCI, SOX, Nevada, FRCP, and the Model Audit Rule.

Say what?

Yep, it’s a real alphabet soup out there. Here’s a short run-down on what’s coming:

XBRL

If the SEC’s proposal goes through, public companies will have to start submitting financial statements to the SEC in an electronic format called eXtensible Business Reporting Language (XBRL) in early 09. The largest 500 U.S. public companies will need to send their information in XBRL format to the SEC for filings after their fiscal years ending on or after December 15th of this year. This is only a few short months away for the largest companies, and all others would have to comply in the following two years. The taxonomy for IFRS has been published and if you don’t know what that means then you need to ramp up your team’s XBRL skills.

Structurally, XBRL is like EDI or other business-to-business systems. You can outsource this, buy software, or “rent” software on a monthly basis so there are several options available. The most complicated part of XBRL is footnotes to the financial statements. I recommend reserving as much time for this portion as the rest of the project combined. Training classes are available for XBRL.

IFRS

This is the “big-one” to globalize accounting standards. While the timing proposed by the SEC for U.S. public companies of 2014 to 2016 is a big question mark, most practitioners believe it is simply a matter of time before U.S. companies will need to convert to International Financial Reporting Standards (IFRS). If the largest of public companies indeed need to comply by 2014, they will need to have their accounting system tweaked to IFRS three years earlier to accommodate financial statements as required to be filed with the SEC. The IT implications will vary from company-to-company, including factoring in decisions on ERP conversions and upgrades.

PCI

The Payment Card Industry is mandating certain security procedures related to credit card transaction processing. There are four tiers with increasing requirements, depending on the number of transactions processed by your organization. Immediate evaluation is needed to determine which tier your company falls into so you can understand the requirements and set-up IT procedures. Implementing the PCI standard is becoming more urgent as enforcement is starting and as identify theft events are causing people to inquire whether the standards were being followed. Also, your compliance will be audited annually if your transaction count is above a threshold.

SOX

The Sarbanes-Oxley Act continues to drive IT action. The smaller public companies, otherwise known as “non-accelerated” filers, should be scrambling to complete their controls over financial reporting assessments per Section 404(a) of SOX. The vast majority of SOX’s 66 sections currently apply to all U.S. public companies. Section 404(b) pertaining to the external audit requirement of financial reporting control is the last remaining section waiting out a SEC-approved delay. This delay only applies to non-accelerated filers and has no impact on the current requirement for smaller U.S. public companies to assess their financial reporting controls. Obviously, this has a large impact on IT controls since financial reporting data flows through a company’s software, hardware, networks, databases and servers.

Nevada

On October 1, 2008, the Nevada Legislature passed NRS 597 which includes a requirement for encrypting transmissions (such as e-mail) when they include personal information (a short section at NRS 597.970). If you are a Nevada-based company you must immediately gather information and pursue compliance. Of course, “encryption” and “personal information” are described in other legislation so also see sections NRS 205.4742 and NRS 603A.040, respectively.

FRCP

The Federal Rules of Civil Procedure (FRCP) continue to drive action with email retention and retrieval. If you have not yet addressed e-mail retention, you should now. Admittedly, administering retention periods and purging e-mail is more complicated than traditional structured database systems. However, the need still exists and solutions are finally available.

The post How do you spell accounting IT confusion? appeared first on Finance Tech News.

Known as FACTA (Fair and Accurate Credit Transactions Act), the rules require covered entities to re-examine their ID theft prevention policies and implement new procedures and business practices.

More specifically, FACTA requires a written ID theft prevention policy that includes polices that identify “patterns, practices or specific activities that could indicate identity theft,” according to the FTC (Federal Trade Commission). Violators of the new rules can be subject to civil penalties of up to $2,500 per violation.

The new regulations – also known as Red Flag rules — have long been thought to only apply to financial institutions such as banks, savings and loans, mortgage lenders and credit unions, but as the compliance deadline nears, SMBs (small and midsize businesses) are concerned the rules may also cover them. While clearly targeting financial institutions, the rules also cover “any person or business” that arranges for customer credit.

“A creditor includes anyone who regularly extends credit to their customers, but the definition is not limited to that and can be broader,” said Frank Dorman, a spokesman for the FTC.

The agency defines a creditor as “any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.”

A business alert issued by the FTC adds, “Accepting credit cards as a form of payment does not in and of itself make an entity a creditor.”

When asked if the Red Flag rules apply to SMBs, Steve Neville, Entrust’s director of identity products and solutions, replied, “Technically not, but it is a devilishly detailed question.”

Neville said most companies that extend credit to customers are doing so through an intermediary such as GE Creditline. In that case, GE would assume responsibility for FACTA compliance. Companies that don’t use intermediaries would be subject to the Red Flag rules.

The FTC added the Red Flag rules to FACTA in January. Businesses are required to define policies for recognizing red flags in identity verification. Typical red flags include discrepancies in address histories, fraud alerts on consumer reports, questionable use of Social Security numbers, credit freeze notifications and unusual patterns of customer activities.

The post Does FACTA affect your biz? appeared first on Finance Tech News.

The Transportation Security Administration will let travelers leave their computers in “checkpoint friendly” cases.

The new rules are intended to help streamline the X-ray inspection lines.

The TSA says it “reached out to bag manufacturers” to design laptop cases that would provide a clear, unobstructed image of the computer as it passed through an X-ray machine.

The agency said the new bags will be available for purchase this month.

To qualify as “checkpoint friendly,” a bag must have a designated laptop-only section that unfolds to lie flat on the X-ray machine belt and contains no metal snaps, zippers or buckles or pockets.

Among the manufacturers selling TSA-approved laptop bags are Mobile Edge, Skooba Design and Targus Inc.

To read the TSA’s official info on the new rules, visit their Web site.

The post New security rules for laptops in airports appeared first on Finance Tech News.

And who has the most problem’s following IT rules?

Members of Generation Y (people born after 1980) have the toughest time with what’s “acceptable use.”

These are the folks who know technology and who use it as much – if not more – for personal reasons, so it makes sense that personal use would bleed over into work hours more often than with older users.

A study by security vendor Symantec, shows that younger employees might have a very different take on what’s OK for work.

For example, 75% of the “millennials” surveyed use personal e-mail at work (compared to 54% of other workers).

About two thirds (66%) use Facebook and Myspace, compared to just 13% of older workers.

The cure: Education and policy enforcement.

The post Guess who’s breaking tech rules most appeared first on Finance Tech News.

A violation of free speech?

Hardly. Employees need to understand that what they do publicly can have a big impact
on the business they work for.

The blogger in question was an Emmy-winning producer of CNN’s morning show, Chez Pazienza.

While recovering from surgery, Pazienza took to blogging and his bosses at the network weren’t happy about his online prose.

Upshot? Pazienza got fired.

Seems the CNN employee handbook had expressly forbidden its staff from writing for a “non-CNN outlet.” His blog was one.

Make sure your users know what the company rule is about blogging.

If you don’t have a rule, your HR department might want to consider drafting one.

To read more about Pazienza’s trials and tribulations, read this.

The post Blog on, but keep your day job safe appeared first on Finance Tech News.