Privacy Breach vs. Security Breach The Great Lakes InfraGard Conference Securing Our Critical Infrastructures June 20, 2012 Keith A. Cheresko Principal, Privacy Associates International LLC
Purpose • Explore the sometimes murky and confusing world of data breaches • Shed light on the differences and similarities of privacy and security breaches. • Leave you with a better understanding of the environment in which we all operate • Provide actionable ideas to help prevent breaches and help increase the security for data under our control.
Agenda Terminology Background Governing Rules Practical Suggestions Questions & (hopefully) Answers
Terminology Personal - “of, relating to, or affecting a particular person: private, individual <personal ambition> <personal financial gain>” Webster Personal Information (PI) - data of, relating to, or affecting a particular person Personally identifiable Information (PII) - data that can be tied to a unique person some of which has obtain defined legal protection (information relating to an identified or identifiable individual)
Statistics As of June 16, Privacy Clearing House database lists: • 562,242,283 records from 3136 data breaches made public from 2005 to June 2012 • 18,537,734 records in their database from 264 breaches made public so far in 2012 • 6,563,454 records in database from 16 breaches made public in June alone half reporting unknown amounts
Statistics The Verizon 2012 Data Breach Investigations Report indicates: 855 incidents resulting in 174,000,000 compromised records
Statistics The Ponemon Institute’s 2011 Cost of Data Breach Study for US-based companies reports: $ 194 the average cost per compromised record and $5,500,000 average in organizational costs per event
Privacy vs. Security • To answer, first consider the difference between privacy and security • Privacy relates to giving an individual some level of control over his personally identifiable information (PII) • Definitions of PII vary, which we will discuss later • To give the individual some control, privacy is concerned with matters such as choice, notice, access, data quality, and security as it relates to PII • Data security is concerned with the safeguarding of all data, not just PII • Privacy broader than security in one sense, security broader than privacy in another sense
What is a Privacy Breach? Can relate to two situations: • The unauthorized access to or acquisition of the kind of PII specified by an applicable law (security of PII) • The failure to live up to obligations made with respect to non-security related aspects of privacy (notice, choice, access, etc.)
What is a Security Breach? The unauthorized access to or acquisition of anything proprietary: Buildings, facilities other physical plants, Computer equipment Product Inventory Confidential or secret information Trade secrets Intellectual property Proprietary items Financial information Data in paper or electronic data Personal information of consumers, employees, etc. Customers lists
Should I worry? Virtually any organization handling PI has the potential to experience a breach of data (personal or other type) security. For example, consider the cross section of reported breaches: • Retailers – Michaels Stores, Macy’s St. Louis • Hospitality/food and beverage – Five Guys, Hannaford Bros. • Education Institutions – University of North Florida, University of Virginia • Healthcare Providers – Phoenix Cardiac Surgery, South Shore Hospital, Charlie Norwood V.A. Medical Center, Financial Institutions – • Citi, U.S. Federal Retirement Thrift Saving Plan
Who is affected? • Payment Processors – WHMCS, Heartland Payment Systems • Professional Service Providers – Law Firms, Accountants, Auditors • Governmental Entities and Agencies – Office of the Texas Attorney General, City of New Haven, New York State Office of Children and Family Services • Internet Service Providers – LinkedIn, eHarmony, • Utilities • and on and on and on ---
Consequences of a breach? Depending on the nature, sensitivity, type and volume of data or other assets compromised it may mean: • Loss of Intellectual property • Possible ID theft • Damage to organization’s reputation • Legal actions – regulatory and consumer • Operating and operational inefficiencies • Increased operating costs • Organization freeze-up/paralysis • Lost business from consumer churn business termination • Adverse impact on market valuation
U.S. Federal Laws: Privacy and Information Security • The Federal Trade Commission Act • The Gramm Leach Bliley Act • The Health Information Portability and Accountability Act of 1996 • Health Information Technology for Economic and Clinical Health • Family Education Rights and Privacy Act of 1974 • Driver's Privacy Protection Act of 1994 • Federal Information Security Management Act of 2002 • Fair and Accurate Credit Transactions Act
U.S. Federal Laws: Privacy and Information Security • Electronic Communications Privacy Act • Telephone Consumers Protection Act of 1991 • Privacy Act of 1974 • Computer Security Act of 1987 • E Government Act of 2002 • Children's Online Privacy Protection Act of 1998 • Children's Internet Protection Act • Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001
FTC and Consumer Data • FTC expects organizations to provide physical, technical, and administrative security for consumer personal information • FTC does not expect maximum available security rather security should be reasonable and appropriate to: • Organization’s size and complexity • The nature and scope of its activities • Sensitivity of the PI • Risk assessments should be conducted to determine areas of greatest risk and reasonable safeguards must be implemented in light of those findings.
Gramm-Leach-Bliley (GLBA) Financial Data Security: Interagency Guidelines • Law required agencies to adopt security regulations relating to physical, technical, and administrative safeguards such as the unauthorized access to, or use of, customer information. • Results - Interagency Guidelines Establishing Standards for Safeguarding Customer Information. • Require written information security plans. • The plans must assess, manage, and control threats that could result in unauthorized disclosure of information. • Encourage adoption of measures appropriate to their circumstances
FTC Safeguards Rule • Design a program to protect against unauthorized access to, or use of, customer information that could result in “substantial harm or inconvenience” to customers • Designate coordinator(s) for the program • Conduct a risk assessment • identify internal and external risks to customer information and • assess the sufficiency of existing safeguards to control the risks • Design and implement safeguards to control the identified risks
FTC Safeguards Rule • Regularly test the effectiveness of the safeguards • Oversee service providers • Select and retain service providers capable of maintaining appropriate safeguards • Require service providers to implement and maintain safeguards • Evaluate and adjust the program in light of • regular testing and monitoring, • material changes in business, or • other circumstances that have a material impact on the program
Protected Health Information • HIPAA, HITECH and the HIPAA Security Rule establish national standards for the protection of individuals’ electronic personal health information in the hands of “covered” entities • HIPAA requires appropriate administrative, physical, and technical safeguards, but includes much more specific mandate under the Security Rule • HITECH amendments to HIPAA apply the HIPAA Security Rule directly to business associates. HHS can audit business associates for compliance and impose civil and criminal penalties (up to $1.5m) and State AGs can bring separate actions
FERPA, DPPAOFISMA and FACTA • Family Education Rights and Privacy Act of 1974 (limits disclosures of educational records maintained by agencies and institutions that receive federal funding) • Driver's Privacy Protection Act of 1994 (limits disclosures of personal information in records maintained by state departments of motor vehicles) • Federal Information Security Management Act of 2002 (requires federal agencies to develop, document and implement agency-wide program to provide information security) • Fair and Accurate Credit Transactions Act (Red Flag and Data Disposal rules)
State General Data Security Safeguards Generally - • Apply to any person owning or licensing PII relating to residents of the state • Require business implementation and maintenance of reasonable security procedures and practices for the protection of PII • Require appropriate disposal of PII rendering it unreadable or undecipherable
State Data Security Laws • At least 33 states have laws relating to Social Security numbers (SSNs) designed primarily for limiting the use of SSNs • Five states require implementation of policies to protect SSNs • Connecticut, Michigan, New Mexico, New York, Texas • Two states have gone farther in specifying required business security practices • Massachusetts and Nevada
Massachusetts Rule • Applies to any person who receives, maintains, processes, or has access to PI about MA residents • The regulation nominally applies to any entity, anywhere in the world, holding PI relating to a MA resident • The covered PI is defined as an individual’s name in combination with a SSN, driver’s license number, or financial account number, credit or debit card number (with or without password)
Massachusetts Rule Requirements • Performance of Risk Assessments • Development and maintenance of a comprehensive Written Information Security Program (WISP) • Application of Physical Security controls • Application of Electronic Security controls • Use of Encryption • Selection and Retention of Competent Service Providers • Employee Training • Employee Compliance • Development and maintenance of appropriate policies regarding storage, access, and transportation of personal information outside business premises • Processes in place preventing terminated employees from accessing personal information • Documenting responses to breach incidents and post-incident reviews
Nevada Encryption Law • Applies to a business that maintains, handles, collects, disseminates, or deals with personal information • Personal information is defined as an individual’s name in combination with a SSN, driver’s license number, or financial account number • Must encrypt electronic transmission (other than fax) to a person outside the business’ own secure system • Must encrypt “data storage devices” when they are moved beyond the logical or physical controls of the business or its data storage contractor
Other Considerations • Specialty state and local requirements • Trade Association undertakings • Payment Card Industry Data Security Standards • Mobile practices • Constantly shifting environment • New uses, applications for data
Breach Notification Laws • Designed to help enforce security obligations • In theory helps consumers protect themselves • Provides government authorities enforcement opportunities • Bad PR and breach-associated costs encourage compliance • Breaches generally triggered by the unauthorized access to, or acquisition of, PI covered by the law • Other variables affect whether a breach notification law applies such as: • Storage medium involved • Use of data encryption
Federal Breach Notification: (GLBA) Regulations adopted by financial regulators and the FTC pursuant to GLBA include breach notification provisions for unauthorized access to sensitive customer information held by banks and other financial institutions.
Federal Breach Notification: HIPAA (HITECH) • Written notices must be provided within 60 days after discovery of the breach • Law enforcement delay if notification would impede a criminal investigation or damage national security • Content requirements • A covered entity must notify: • HHS of any breach involving more than 500 individuals when it provides consumer notice • HHS annually of breaches involving fewer than 500 individuals • Prominent media in a state of breaches involving more than 500 residents of the state
Federal Breach Notification: HIPAA (HITECH) • A Business Associate that discovers a breach must notify the covered entity • Similar FTC rule for Vendors of personal health records and entities offering products or services through Web site of a vendor of personal health records
U.S. State Breach Notification Laws 46 states, District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands with laws: • PI usually covered: name plusSSN, driver’s license number, bank account information with PIN, or health information (often with an exception when encrypted), and there are significant state variations of covered PI • Notice to individuals required in the event of a breach and, in some instances, notice to credit-reporting agencies and/or regulators (e.g., New York Attorney General, New Jersey State Police) also specified • 18 states impose requirements with respect to the content of the consumer notice • State Insurance regulators also impose notification requirements on insurance companies
The Hits Keep on Coming With These Events Recently in the Headlines • WHMCS Breach May Be Only Tip of the Trouble • Spokeo to Pay $800,00 to Settle FTC Charges • Myspace Settles FTC Charges it Misled Millions of Users • Lax Security at LinkedIn is Laid Bare • Potential Class Action Targets Emory Healthcare Over Patient Data Breach • ID Theft in Backyard of Texas Attorney General • Massachusetts Levies Fine of $15,000 for Stolen Laptop • HHS Settles Cases with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards • A Six-Figure Credit Breach at Five Guys • Information of U.S. Federal Employees Exposed • South Shore Hospital to Pay $750,000 to Settle Data Breach Allegations • House Committee to Probe e-Banking Heists
Privacy and Other Data Security Breaches An once of prevention is worth a whole lot more and a pound of cure It is not “a once and done” adventure When the going gets tough the tough get going Yammar, yammar, yammar ….
Practical Considerations • Basic requirements for data protection are surprisingly similar, across segments although details do vary • The concept of technical, physical and administrative security requirements is almost universal • Requirement to conduct practical risk assessments of requirements and vulnerabilities of the organization is also present in many segments and jurisdictions • Most laws do not specify technical or physical requirements beyond requiring that they be reasonable, appropriate or adequate
Inventory your data/asset What is it? Where is it? Where is it going? Will it visit third parties? Who needs it to do their work? How is it used? How is it gathered and shared? How is it stored? What is its final resting place? Will it be gone for good?
Assess Risks/Threats • Indentify all threats within the realm of possibility to the security of the data or asset. • Consider all sources whether: • Internal • External • Natural • Man-made • Innocent • Malicious • Assess the consequences to the organization should the identified threat materialize. • What is the likelihood of the threat/risk materializing? • What mitigations are there to counter the risk or recover if it occurs?
Physical Matters Physical Security includes • Facility access controls • Locks • Alarms • guards • Safeguarding hard copy documents with PI • Locking filing cabinets • Clean desk policies • Securing hardware on which PI is stored • Computers • Mobile devices • Flash drives • Modems
Administrative Measures Administrative measures includes rules and training applicable to PI handling such as: • Ensuring access authorization is only given to individuals with legitimate purposes • Authentication rules • Rules limiting what data can be stored on portable devices such as laptops, smart phones, thumb drives and other storage media • Security provisions in supplier contracts • Security training for those with access to PI • On-boarding and termination processes • Policy administration • Policy enforcement through appropriate disciplinary actions
Administrative Measures Technology use policy • Blogging and social networking, peer to peer file sharing programs, remote access, use of laptops Security breach notification procedure • How is unauthorized access or acquisition reported? • Who is on the immediate response team? Confidentiality policy • Does it cover confidential information and personal Information? • Training • Audit • Office rules – badging, clear desk and screen locks • Processes and teams for security incident management • Downstream controls – contractual and audit controls on data recipients • Officer, Director, and Employee training
Typical Requirements • Assign responsibility with accountability to a lead person • Conduct risk assessments • Establish comprehensive written policies and procedures • Train employees • Evaluate and then supervise service providers • Execute contracts with service providers • Provide secure disposal • Audit • Create and implement incident response, record retention, and disaster recovery plans
Organization Dealing with high-level requirements (“reasonable security”) • Determining what “reasonable security “ is a team effort • Determination should involve representatives from privacy, IT, legal, physical security, HR/training, and potentially other functions and advisors • Work to determine what safeguards are necessary based on the specific vulnerabilities of the particular organization (risk analysis) , the consequences of a breach and general good security practices. • Documentation critical