Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures Presentation to...

Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures

Presentation to the Greater Washington, DC Chapter of ARMA International

Wednesday, March 21, 2007

Bruce H. Nielson

Outline of Presentation

Data Privacy and Security Breaches, Problems and Risks Data Security Breach Incidents Additional Risks

Overview of Applicable Laws and Regulations Federal International State

Risk Mitigation Measures Human Resources-related Measures Vendor/Service Provider-related Measures Technological Measures

Q & A

Data Privacy and Security Breaches, Problems and Risks 104,137,499 Total number of records containing sensitive

personal information estimated to have been involved in security breaches since Jan 2005 – probably a significant underestimation

http://www.privacyrights.org/ar/ChronDataBreaches.htm Current and recent headlines

Data Privacy and Security Breaches, Problems and Risks (cont.)

TJX Says Data Breach Worse than Previously Believed Ongoing probe shows it happened almost a year

earlier than first thought, as far back as July 2005 TJX still hasn't disclosed the number of shoppers that

may have been affected by the breach; analysts believe the number to be in the tens of millions

Comerica Bank is reissuing cards to its customers whose account information was compromised in the TJX breach


Hack Attack Forces Texas A&M To Change 96,000 Passwords Texas A&M University is forcing 96,000 students, faculty,

and staff to change their passwords after a hacker attempted a network break-in

The university's computer users can get updated information about the break-in and the ongoing investigation at a University web site. University officials are directing people to the web site for information on how to safeguard personal information


University of Idaho Put Staff Data on Web Personal information for about 2,700 University of Idaho

employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused

A university data file was mistakenly included along with a report from the UI's internal research department that was posted at the department's Web site. It contained information including names, birthdates and Social Security numbers for about 2,700 university employees, but did not include any personal financial account numbers


CD with Medical Data of 75,000 is Found A missing CD containing confidential medical and personal

information on 75,000 Empire Blue Cross and Blue Shield members was recovered Wednesday

A spokeswoman for a managed care company that monitors payments for mental health and substance abuse cases of insurers, said the company received a telephone call Wednesday morning saying that the CD was delivered by mistake to a residence in the Philadelphia area. The CD had been missing since January

No way to track whether copies of the CD were made

Data Privacy and Security Breaches, Problems and Risks (cont.) PC, Phone Home

Several years ago, Bob installed SETI@home on his wife's laptop, which was stolen from the couple's Minneapolis home on Jan. 1

Annoyed at the break-in – and alarmed that someone could delete the screenplays and novels that his wife, Sue, was writing – Bob monitored the SETI@home database to see if the stolen laptop would “talk” to the Berkeley servers. The laptop checked in three times within a week, and Bob sent the IP addresses to the Minneapolis Police Department

Officers subpoenaed Bob's Internet service provider, to determine the address where the stolen laptop logged onto the Internet. Within days, officers seized the computer and returned it to the rightful owners

Data Privacy and Security Breaches, Problems and Risks (cont.) Former Fruit of the Loom Workers' Identities

Compromised A security breach with a Fruit of the Loom database has left

former Rabun Apparel Inc. employees on edge Word spread rapidly across the North Georgia Technical

College campus Tuesday morning about how easily one could access the 1,006 names and Social Security numbers of the former employees

Fruit spokesman said Tuesday evening that every possible step was being taken to purge the information from the Internet. Sometime between Tuesday night and Wednesday morning, it could no longer be accessed

Data Privacy and Security Breaches, Problems and Risks (cont.) Thief Stole Credit Card Numbers from Seed Site

A cyber thief broke into the web site of Johnny's Selected Seeds and stole sensitive customer data, including credit card numbers; in all, 11,500 accounts were compromised. Approximately 20 of the stolen card numbers have been used fraudulently

The site is now under 24-hour monitoring to prevent a recurrence; other security measures have also been implemented. Johnny's has notified all people whose account information was stolen. The initial intrusion occurred on February 4, 2007. A company official said "criminals gained access to our internal systems and gathered enough information to allow then to gain access to our web site." The FBI is investigating

Data Privacy and Security Breaches, Problems and Risks (cont.) Downloading from the Internet

A user downloaded photos of Paris Hilton for her Windows desktop. Windows asked her to say yes to executing the file when she got it. Assuming it was just pictures, she agreed. Within a couple of hours, she knew something was wrong when her computer started to slow down to the point where she was unable to use it. Even when she rebooted, she couldn't launch programs

The IT department determined she had downloaded a Trojan program along with the photo. Her downloaded photo had a malicious payload attached that used her computer to send out spam. Her computer had to be rebuilt to eliminate the program. She lost most of the day and a lot of her personal computer settings in the process


Plugging in USB drives (or any other storage devices or media) that are find lying around People's natural curiosity and desire to help were exploited by a

consultant who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers


Use of unauthorized software It may be tempting to use useful-looking software that you can

get free on the Internet, but these tools may carry a hidden cost. Installing them may often cause other programs to stop working and it can take a long time for your IT teams to track down the problem. More seriously, they can display unwanted ads, slow your PC down or make it less secure by letting the PC download more ads from the Internet. Most seriously, they can be infected by viruses or spyware that are intended to damage your PC or steal confidential information


Your new ID-theft worry? Photocopiers No known incidents yet, but potential is very real Most digital copiers manufactured in the past five years have

disk drives to reproduce documents; copiers can retain the data being scanned

If the data on the copier's disk aren't protected with encryption or an overwrite mechanism, and if someone with malicious motives gets access to the machine, sensitive information from original documents could get into the wrong hands

More than half of all Americans may unknowingly put their private financial information at risk this tax season when they copy their tax returns


Instant Messaging Security Risks IM creates new avenues for the distribution of

malware (viruses, worms, spyware, etc.), which can jeopardize the security of a computer network

IM opens new “holes” through which information that is to be kept secure and confidential can be leaked

IM may create “invisible” communications channels that operate below the radar of conventional information security measures


Wireless and Voice Over the Internet Protocol (“VoIP”) Security Risks Interception or capture of transmissions or packets Modification of transmissions or packets ID theft and theft of services; hijacking a VoIP call

and masquerading as the intended called party Denial of service attacks that disrupt all data streams


Employees and Vendors Weak Points in Data Privacy and Security Strategy With news of another high-profile data security

breach almost a daily occurrence, companies must ensure two crucial weak points — their employees and third-party vendors — are covered in their data privacy and security protocols

Employers are responsible for employee theft of information, and may also liable if they don't ensure third-party vendors have sufficient controls in place


Most Data Breaches Traced to Company Errors Research from the University of Washington, Seattle

says that organizations are more often to blame for data security breaches than outside intruders

Looked at 550 data breaches that received media coverage between 1980 and 2006

Two-thirds of the breaches could be traced to lost or stolen equipment and a variety of management or employee errors

Less than one-third of the breaches were the work of outside attackers


Intel Fails to Keep Antitrust Email Intel said it has not properly preserved emails related

to its ongoing antitrust litigation with rival Advanced Micro Devices

In a court filing, lawyers for Intel blamed human error for a number of "inadvertent mistakes" that it says resulted in certain employees failing to retain outgoing emails as required as well as some employees not receiving timely instructions to save documents


What’s the solution?

Overview of Applicable Laws and Regulations

Federal Data Privacy and Security Laws Gramm-Leach-Bliley Act (1999)

Applies to “Financial institutions” Protects non-public personal financial information of

consumers Regulations promulgated by the banking regulators, the SEC

and the FTC Has data privacy and security requirements Notice and opt-out model

Overview of Applicable Laws and Regulations (cont.)

Federal Data Privacy and Security Laws (cont.) HIPAA – The Health Insurance Portability and

Accountability Act of 1996 Applies to health care providers, health plans, and

companies that receive and process health information from health care providers and health plans – so-called business associates

Requires Business Associate Agreement

Protects “individually identifiable health information” Does not apply to de-identified health information


Federal Data Privacy and Security Laws (cont.) Fair and Accurate Credit Transactions Act of 2003

Prohibits all persons and entities that accept credit cards and debit cards for business transactions from printing more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction


Federal Data Privacy and Security Laws (cont.) Proposed federal legislation for a data security breach

notification law It's Round 2 in Congress' bid to craft federal law that would

require businesses to notify U.S. consumers about computer data-security breaches. Some believe that legislation introduced in February soon could become law, given the cooperative tone of federal lawmakers. That would be a reversal from the previous few years, when members of the House and Senate could not agree on a national data-breach law, and dozens of states passed their own laws


Foreign Laws EU Data Directive – Directive 95/46/EC of the

European Parliament and of the Council of October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Canadian Privacy Law – An Act to Support and Promote Electronic Commerce by Protecting Personal Information that is Collected, Used or Disclosed in Certain Circumstances . . .

Notice and opt-in model


State Laws Non-disclosure of Social Security Numbers

More than half of the states have laws that prohibit the disclosure of “whole” social security numbers without consent

Data security breach notification laws Nearly three quarters of the states have laws that require

notification of affected individuals in the case of a data security breach incident, along with certain remedial measures


Absence of Federal Data Breach Notification Law, and Passage of State Laws, Results in . . .

Risk Mitigation Measures

Human Resources-related Measures Employee background checks Employee training and education Acceptable use policies for emails, IMs, downloads,

and use of the Internet and company systems and equipment

Disclaimer of privacy when using company assets Appropriate monitoring of usage Appropriate actions against violators

Risk Mitigation Measures (cont.)

Vendor/Service Provider-related Measures Background checks of vendor and service provider

personnel Vendor and service provider agreements to comply,

and to cause their employees to comply, with applicable laws and with vendee’s data privacy and security policies

Indemnification from vendors and service providers against costs, losses and expenses from any data security breach or failure to comply with applicable law or vendee’s policies

Risk Mitigation Measures (cont.)

Technological Measures Password protection for computers, devices,

networks, documents and databases Physical security for servers, equipment, devices and

data and document storage and processing areas Data encryption Internet firewalls, email filters, anti-virus software

programs and meta data scrubbing programs Tracking of missing/stolen devices Data security breach response plan

Questions and Answers

Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures Presentation to...

Documents

Transcript of Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures Presentation to...