A Unified Approach to

Security Compliance

Diebold Security Customer

Advisory Council2008

Overview

• Rising Tide of Information Security, Privacy and the Internet Regulation– Federal– State– International

• The Unified Approach – A new look at compliance for IT Managers

Int’lLaw

StateLaw

SOXFTC

US Sectoral Approach Has Led to Numerous Laws and Regulations

• Infrastructure Protection • Identify Theft Prevention• Corporate Governance and Reporting• Standards (e.g., NIST and ISO 17799)• The Payment Card Industry Data Security Standard (PCI DSS)

FISMAHIPAAGLBA

…Have Created a “Silo Approach” to Compliance

GLBA Finance Department (CFO) ComplianceProgram 1

HIPAA Human Resources/Health Care ComplianceProgram 2

State Law Compliance ComplianceProgram 3

Int’l Clinical ResearchCompliance Program 4Int'l Law

The Silo Problem:

• Multiple Compliance Efforts– Costs more money

• Multiple consultants each offering expertise in specific areas (e.g., HIPAA, GLBA, EU Data Directive, California Law)

• So multiple efforts are undertaken when essentially a single effort would suffice

– Undermine overall compliance effectiveness• Redundancy, inconsistency, lack of

centralized oversight

GLBA Consultants

HIPAA Consultants

Int’l Consultants State Law Consultants

A Unified Approach to Information Security Compliance

•Addresses all of the regulatory regimes (security, privacy and other regulatory requirements)

•One comprehensive approach

•Uses popular compliance frameworks

GLBA

• GLBA: Gramm-Leach-Bliley Act, 15 U.S.C. §§6801,6805– Resulted in Regulations for Some Agencies– Resulted in Guidelines for Others

GLBA Reach – Federal Banking Agencies

• Interagency Guidelines Establishing Standards for Safeguarding Customer Information: – The Office of the Comptroller of the

Currency (“OCC”) (Treasury); 12 C.F.R. Part 30

– Federal Reserve System; 12 C.F.R. Parts 208, 211, 225 and 263

– The Federal Deposit Insurance Corporation ("FDIC"); 12 C.F.R. Parts 408 and 364,

– The Office of Thrift Supervision ("OTS") (Treasury); 12 C.F.R. Parts 568 and 570 (security) and 573 (privacy)

GLBA Reach - NCUA, SEC, CFTC

• The National Credit Union Administration (“NCUA”); 12 C.F.R. Parts 716 (privacy) and 748 (security)

• The Securities and Exchange Commission ("SEC"); 17 C.F.R. Part 248 (SEC) (Amendment Pending)

• Commodity Futures Trading Commission; 17 C.F.R. 160.30

FTC and Others

• Federal Trade Commission (Safeguards)

• State Insurance Authorities

GLBA Scope and Amendments

SafeguardsPrivacy

Disposal

GLBA 1999 FACTA 2003

Breach

Notification

Safeguard

Expansion

TechnicalSecurity

Business Associate Management

AdministrativeSecurity

Procedures, Legal Compliance

PhysicalSecurity

HIPAA COMPLIANCE

HIPAA Requirements/Security

Federal Information Security Act of 2002 FISMA

• FISMA: Federal Information Security Act of 2002, 44 U.S.C. §3537 et seq.– Requires compliance with a set of standards federal

government information security • Federal Information Processing Standards (FIPS) • NIST Standards

• Applies to Federal information System– An information system used or operated by an

executive agency, or by another organization on behalf of an executive agency

• Applies to government contractors

FTC Authority

• Section 5 of the FTC Act (“FTCA”) permits the FTC to bring an action to address any unfair or deceptive trade practice that occur in the course of commercial activities– Deceptive trade practice is any commercial

conduct that includes false or misleading claims or claims that omit material facts

– Unfair trade practices are commercial conduct that causes substantial injury, without offsetting benefits and that consumers cannot reasonably avoid

FTC Security EnforcementFTC Security Enforcement

Based on notice of privacy practices and official statements regarding how an organization safeguards sensitive information. (e.g., In re Guidance Software Inc.

DeceptiveTrade

Practices

UnfairTrade

Practices

Practices that "threaten data security“ are unfair practices. (e.g., In re BJ’s Wholesale Club)

GLBA Safeguards

Violations of Safeguards Rule, (e.g., In re Superior Mortgage Corp.)

Enforcement/Consent Orders - FTCA

• United States v. ValueClick Inc., C.D. Cal., No. CV08-01711, stipulated final judgment approved 3/17/08

• Life is good Inc., FTC, File No. 072-3046, (1/17/08)• In re Guidance Software Inc., FTC, File No. 062 3057 (11/16/06) • In the Matter of DSW, Inc., FTC, No. 053-3096 (12/1/05)• In re CardSystems Solutions Inc., FTC, File No. 052 3148

(9/5/06) • United States v. ChoicePoint, 106-cv-0198 (N.D. GA, 2-15-

06)• In the matter of BJ’s Wholesale Club, FTC No. 042-3160

(6/16/2005)• In re Petco Animal Supplies Inc., FTC, File No. 032-

3221(11/17/04)• In re MTS Inc., FTC, File No. 032-3209, 4/12/04 (Tower Records) • In re Guess? Inc., FTC, File No. 022-3260 (6/18/03)• In re Microsoft Corp., FTC, File No. 012-3240 (8/8/02)• In re Eli Lilly and Co., FTC, No. 012-3214 (1/18/02)

FTC Enforcement - GLBA Safeguards

• In re Goal Fin. LLC, FTC, No. 072-3013, commission approval 2/19/08)

• United States v. American United Mortgage Co., No. 07C 7064, (N.D. Ill., 12/17/07) (Disposal Rule)

• In re Nations Title Agency Inc., FTC, No. 052 3117, proposed consent order 5/10/06

• In re Superior Mortgage Corp., FTC, File No. 052 3136, 9/28/05

• In the Matter of Nationwide Mortgage Group, Inc., and John D. Eubank, FTC File No. 042-3104 4/15/05

• In re Sunbelt Lending Services, FTC, File No. 042-3153, 11/16/04)

SOX and Security

• Sarbanes Oxley Act, 15 U.S.C. §§7241 and 7267

• SOX is "basically silent" on information security,

• However Information Security is implicit:• Certification of effectiveness of controls (404)• Annual assessment and report on effectiveness of the

controls (302)

• The SEC final rules • rules require management to certify that two types of

controls have been established and their effectiveness has been assessed

– Access Security – Internal Controls

SOX Standards: COSO and COBIT

•Committee on Sponsoring Organization of the Treadway Commission (COSO)

•COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance

– Integrity and Ethical Values– Commitment to Competence– Board of Directors or Audit Committee– Management Philosophy and Operating

Style– Organizational Structure– Assignment of Authority and

Responsibility– Human Resource Policies and Procedures

•COBIT (Control Objectives for Information and related Technology)

•COBIT Security Baseline: – Security Policy– Security Standards– Access and Authentication– User Account Management– Network Security– Monitoring– Segregation of Duties– Physical Security

State Breach Notice Laws Continue to State Breach Notice Laws Continue to Proliferate…Proliferate…

• Arizona (Ariz. Rev. Stat. §44-7501)

• Arkansas (Ark. Code §4-110-101 et seq.)

• California (Cal. Civ. Code §1798.82)

• Colorado (Col. Rev. Stat. §6-1-716)

• Connecticut (Conn. Gen Stat. 36A-701(b))

• Delaware (De. Code tit. 6, §12B-101 et seq.)

• Florida (Fla. Stat. §817.5681)

• Georgia (Ga. Code §10-1-910 et seq.)

• Hawaii (Hawaii Rev. Stat. §487N-2)

• Idaho (Id. Code §§28-51-104 to 28-51-107)

• Illinois (815 Ill. Comp. Stat. 530/1 et seq.)

• Indiana (Ind. Code §24-4.9)

• Kansas (Kansas Stat. 50-7a01, 50-7a02 (2006 S.B. 196, Chapter 149))

• Louisiana (La. Rev. Stat. §51:3071 et seq.)

• Maine (Me. Rev. Stat. tit. 10 §§1347 et seq.)

……with with 4 More4 More Enacted in 2007… Enacted in 2007…

• Maryland (HB 208, S 194)

• Massachusetts (HB 4775)

• Michigan (SB 309, Public Act 566)

• Minnesota (Minn. Stat. §325E.61, §609.891)

• Montana (Mont. Code §30-14-1701 et seq.)

• Nebraska (Neb. Rev Stat 87-801 et. seq.)

• Nevada (Nev. Rev. Stat. 603A.010 et seq.)

• New Hampshire (N.H. RS 359-C:19 et seq.)

• New Jersey (NJ Stat. 56:8-163)

• New York (N.Y. Bus. Law §899-aa)

• North Carolina (N.C. Gen. Stat §75-65)

• North Dakota (N.D. Cent. Code §51-30-01 et seq.)

……and and oneone this year, this year, they now total 40…they now total 40…

• Ohio (Ohio Rev. Code §1349.19, §1347 et seq.)

• Oklahoma (Okla. Stat. §74-3113.1)

• Oregon (SB 583)• Pennsylvania (73 Pa.

Cons. Stat. §2303)• Rhode Island (R.I.

Gen. Laws §11-49.2-1 et seq.)

• Tennessee (Tenn. Code §47-18-2107)

• Texas (Tex. Bus. & Com. Code §48.001 et seq.)

• Utah (Utah Code §13-44-101 et seq.)

• Virginia (SB 307)• Vermont (Vt. Stat.

Tit. 9 §2430 et seq.)• Washington (Wash.

Rev. Code §19.255.010)

• Wisconsin (Wis. Stat. §895.507)

• Wyoming (SF 53)

……With 8 More in Process.With 8 More in Process.

1. Alabama (SB 382)2. Alaska (SB 21)3. Iowa (SSB 3183)4. Kentucky (HB 553)5. Missouri (HB 2130)6. Mississippi (HB

1408) 7. S. Carolina (S 453)8. West Virginia (HB

2175)

• This Leaves only the following 2:1. New Mexico, and 2. South Dakota

Inconsistent State Breach Notice Inconsistent State Breach Notice LawsLaws

• Personal Information At a minimum, define "personal information“--as a name, in combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code --the breach of which triggers the need to notify consumers– Some include passports or other forms of federal identification

• Breach Most apply only to breaches of unencrypted electronic personal information, and require written notification after a breach is discovered– Some require notice of encryption key is breached along with

unencrypted data • Notification Most require notification if there has been, or there is a

reasonable basis to believe that, unauthorized access that compromises electronic has occurred

• Risk of Harm In some states, entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual

Inconsistent State Breach Inconsistent State Breach Laws (cont’d)Laws (cont’d)

• Enforcement Authority Most give state’s Attorney General enforcement authority.– A few provide a private cause of action

• Law Enforcement Delay Most allow for a delay in notification if a disclosure would compromise a law enforcement investigation, except Illinois

• Substitute Notice Most allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250,000 -- RI, DE, NE, OH set lower thresholds

• Security and Privacy Programs Some require implementation of safeguards to protect information security and privacy (e.g., MD)

• Safe Harbor Some provide a “safe harbor” for covered entities that maintain internal data security policies that include breach notification provisions consistent with state law or federal law such as HIPAA and GLBA. (e.g., OH,MD)

• Disposal Some Require Proper Disposal of PI (e.g., MD, MA, OR)

MN Plastic Card Security Act MN Plastic Card Security Act (Security Provisions)(Security Provisions)

• HF 1758, amends Minnesota’s data breach notification law and contains security and liability provisions.

• The security provisions took effect August 1, 2007 and apply to any “person or entity conducting business in Minnesota ”that accepts credit cards, debit cards, stored value cards or similar cards “issued by a financial institution.”

• Such companies are prohibited from retaining the following card data after authorization of a transaction: – “the full contents of a track of magnetic stripe data” (which

encompasses the “card verification value” or CVV –a unique authentication code embedded on the magnetic stripe);

– the three to four digit security code on the back of the card by the signature block (also known as CVV2); and

– any PIN verification code number (If a debit card with PIN is used, a company is prohibited from retaining the data more than 48 hours after authorization of the transaction

Merchant Security

MN Plastic Card Security Act MN Plastic Card Security Act (Liability Provisions)(Liability Provisions)

• For data breaches occurring after August 1, 2008, HF 1758 provides:– Authorize banks to file lawsuits to recover from

the merchant "the cost of reasonable actions undertaken" to respond to the breach

– If a merchant retains such data in violation of the proposed law and there was a breach of that information banks may seek the costs of

• canceling and reissuing credit cards, • closing and/or reopening accounts affected by a breach, • stop payment actions, • unauthorized transaction reimbursements and • the providing of breach notice to affected individuals

Merchant Liability

International Laws

• EU Data Protection Directive– Purpose

• To protect individuals with respect to “processing” of personal information• To ensure that personal data may be freely transferred

– Information Security (Article 17) • Appropriate technical and organizational measures to protect data against

destruction, loss, alteration, or unauthorized disclosure• Personal Information Protection and Electronic Documents Act

(PIPEDA) (Canada)– Purpose “every organization” that “collects, uses or discloses” personal

information “in the course of commercial activities” must take steps to protect individual privacy

– Security Standards• These must be made commensurate tithe the sensitivity of the information it

holds• Measures should address:

– The manner in which the information is stored – Should protect against loss or theft as well as unauthorized access, disclosure, copying

use, or modification of the data

• Others, including APEC• US Safe Harbor

Inadequacy of U.S. Protections

• Article 25. Member States to enact laws prohibiting the transfer of personal data to countries outside the EU that fail to ensure an “adequate level of (privacy) protection – US Privacy Laws Deemed Inadequate by EU

• The following methods can be used to obtain personal information from EU Countries– Data Transfer Agreement

• Bind the (U.S.) importer to provide adequate protections (Article 26)– US Safe Harbor Provisions

• Certify Compliance with Safe Harbor– Unambiguous Informed Consent

• The EU company may transfer the data if it obtains an unambiguous informed consent from every data subject before each transfer is made.

– Binding Corporate Rules• The use of internal policy rules, procedures and mechanisms to ensure

the rights of data subjects

Unified Approach To Security

Security PracticesSecurity Practices ISO 17799ISO 17799 NISTNIST HIPAAHIPAA GLBA GLBA FTCAFTCA

Administrative SafeguardsAdministrative Safeguards

Security Management Process Assigned Security Responsibility Workforce Security Management of Information Access

Security Incident Procedures Contingency Planning

Review/Evaluation X X

Contracts Security Awareness and Training

Unified Approach to Security

Security PracticeSecurity Practice ISO 17799ISO 17799 NISTNIST HIPAA HIPAA GLBA GLBA FTCAFTCA

Physical Safeguards

Facility Access Controls (Generally)

Workstation Use and Security

(Generally)

Device and Media Controls

Technical Safeguards

Access Control

Audit Controls

Integrity Controls

Person or Entity Authentication

Transmission Security

Attorn

ey-C

lient P

rivile

ge

Complia

nce P

rogra

m In

tegra

tion

Training & Change Management

IdentifyApplicable

Laws

Risk Analysis and Report

Implementation

Compliance

LegalEvaluation

Protecting Information/Achieving Compliance

Fundamental Process

• Identify assets to be protected• Conduct risk assessment• Identify and select reasonable and

appropriate controls• Implement controls• Training and awareness• Review (audit) effectiveness and

make necessary adjustments

Unified Approach Methodology

Step 2.Preliminary Awareness

Raising and Training

Step 3. Information Collection

Step 4. Perform Risk and other

Analyses

Step 5.Report of Findings and

Recommendations

Step 6.Prepare Implementation

Plan

Documentation Review

Interviews/Questionnaires

Determine Security and

Privacy Standards

Determine Applicable Laws and Regulations.

Step 1. Establish

Requirements

Data Classification and Mapping

Step 7.Implementation Program,

Provide Training

Value of Unified Approach

• The number of laws and regulations will continue to grow, making compliance even more cumbersome

• Unified approach provides compliance with multiple regulations and laws at one time

• Ability to demonstrate due diligence to Federal and state authorities, plaintiff attorneys and contract partners

Thank You

M. Peter AdlerAttorney at Law

202.220.1278Direct Fax: 800.684.2749adlerp@pepperlaw.com

Hamilton Square600 Fourteenth Street, N.W.Washington DC 20005-2004202.220.1200Fax: 202.220.1665www.pepperlaw.com