adler infosec & privacy group llc unified approach to security and privacy m. peter adler jd,...
Post on 18-Dec-2015
214 views
TRANSCRIPT
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC
Unified Approach to Unified Approach to Security and PrivacySecurity and Privacy
M. Peter Adler JD, LLM, CISSP, M. Peter Adler JD, LLM, CISSP, CIPPCIPPAdler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC
Privacy in the Electronic RealmPrivacy in the Electronic Realm
April 18, 2006April 18, 2006
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 22
AgendaAgenda
Problem:Problem: Sectoral/State Approach Sectoral/State Approach to Security and Privacy to Security and Privacy
– Statement of the ProblemStatement of the Problem– US Federal Laws and Intended SectorsUS Federal Laws and Intended Sectors– State Laws and Intended SectorsState Laws and Intended Sectors– Private Contractual Standards and Private Contractual Standards and
Intended SectorsIntended Sectors Solution:Solution: Unified Approach to Unified Approach to
Security and Privacy ComplianceSecurity and Privacy Compliance
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 33
US Safe Harbor
Sarbanes Oxley(SOX)
StateLaw
FTCGLBA
US Sectoral Approach Has Led US Sectoral Approach Has Led to Numerous Laws and to Numerous Laws and
RegulationsRegulations
HIPAA
Other Important Factors• The Payment Card Industry Data Security Standard • International Standards (e.g., NIST and ISO 17799)• Infrastructure Protection • Identify Theft Prevention• Corporate Governance and Reporting
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 44
……Have Created a “Silo Have Created a “Silo Approach” to Approach” to ComplianceCompliance
GLBA Finance Department (CFO) ComplianceProgram 1
HIPAA Human Resources/Health Care ComplianceProgram 2
State Law Compliance ComplianceProgram 3
HR/International OpsComplianceProgram 4Int'l Law
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 55
The Silo Problem:The Silo Problem: Multiple Compliance EffortsMultiple Compliance Efforts
– Costs more moneyCosts more money Multiple consultants each offering expertise in Multiple consultants each offering expertise in
specific areas (e.g., HIPAA, GLBA, EU Data specific areas (e.g., HIPAA, GLBA, EU Data Directive, California Law)Directive, California Law)
So multiple efforts are undertaken when So multiple efforts are undertaken when essentially a single effort would suffice essentially a single effort would suffice
– Undermine overall compliance Undermine overall compliance effectivenesseffectiveness Redundancy, inconsistency, lack of centralized Redundancy, inconsistency, lack of centralized
oversightoversight
GLBA Consultants
HIPAA Consultants
Int’l Consultants State Law Consultants
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 66
Int’l Law
International Operations
A Unified Approach to A Unified Approach to ComplianceCompliance
HIPAA
A Unified Approach addresses all of the regulatory regimes with one comprehensive approach to look at applicable security, privacy and other regulatory requirements.
GLBAOther FTC
Safe Harbor
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC
TechnicalSecurity
Business Associate Management
AdministrativeSecurity
Procedures, Legal Compliance
PhysicalSecurity
HIPAA COMPLIANCE
HIPAA HIPAA Requirements/SecurityRequirements/Security
To guard the confidentiality, integrity and availability (CIA) of health information
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 88
FTC Authority to FTC Authority to Investigate Investigate
FTC has broad authority to investigate FTC has broad authority to investigate and bring actionsand bring actions
May work with company to resolve the May work with company to resolve the mattermatter
Where a pattern of non-compliance or Where a pattern of non-compliance or egregious behaviors are involved FTC egregious behaviors are involved FTC will bring an enforcement actionwill bring an enforcement action
These actions usually result in These actions usually result in settlements through consent decrees settlements through consent decrees that include an FTC mandated security that include an FTC mandated security and privacy programand privacy program
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 99
Limitation of AuthorityLimitation of Authority
FTC cannot regulate industry that are FTC cannot regulate industry that are otherwise regulated (e.g., financial otherwise regulated (e.g., financial industries, common carriers)industries, common carriers)
FTC may nevertheless work closely FTC may nevertheless work closely with these other industrieswith these other industries
FTC may share enforcement authority FTC may share enforcement authority with other agencies/authoritieswith other agencies/authorities
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 1010
FTC Security and FTC Security and Privacy Consent Privacy Consent DecreesDecrees A prohibition or misrepresentation of A prohibition or misrepresentation of
security and privacy program protectionssecurity and privacy program protections FinesFines A requirement to establish and maintain A requirement to establish and maintain
a security program, includinga security program, including– Training and proper oversight of employees Training and proper oversight of employees
and agentsand agents– Identification of reasonably foreseeable risksIdentification of reasonably foreseeable risks– Design and implementation of reasonable and Design and implementation of reasonable and
appropriate safeguardsappropriate safeguards– Regular evaluation of the programRegular evaluation of the program
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 1111
FTC Security and Privacy FTC Security and Privacy Consent Decrees (cont.)Consent Decrees (cont.) An Obligation to have the security and An Obligation to have the security and
privacy program reviewed annually by an privacy program reviewed annually by an independent qualified third partyindependent qualified third party
A requirement to provide certain documents A requirement to provide certain documents related to the representations made about related to the representations made about the company’s programs and compliance the company’s programs and compliance upon request by the FTCupon request by the FTC
An Obligation to notify the FTC of any change An Obligation to notify the FTC of any change which may affect the company’s compliancewhich may affect the company’s compliance
A final written report of compliance upon A final written report of compliance upon request by the FTCrequest by the FTC
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 1212
Previous FTC Actions resulting in Security Previous FTC Actions resulting in Security or Privacy Programsor Privacy Programs
Section 5 Violations for Erroneous Representations in Posted Section 5 Violations for Erroneous Representations in Posted Privacy PracticesPrivacy Practices
FTC alleged the companies involved promised they would take FTC alleged the companies involved promised they would take reasonable steps to protect consumers' sensitive information, but reasonable steps to protect consumers' sensitive information, but failed to do so failed to do so – Eli-Lilly (January 18, 2002)Eli-Lilly (January 18, 2002)
Information about Prozac usersInformation about Prozac users– Microsoft (Aug 8, 2002)Microsoft (Aug 8, 2002)
Technology not as secure as claimed, but no security breach uncoveredTechnology not as secure as claimed, but no security breach uncovered– Tower Records (April 21, 2004)Tower Records (April 21, 2004)
Security flaw in the company’s web site exposing customer’s personal Security flaw in the company’s web site exposing customer’s personal informationinformation
– Guess? (June 18, 2003)Guess? (June 18, 2003) Failed to use reasonable and appropriate measures to protect customer’s Failed to use reasonable and appropriate measures to protect customer’s
personal informationpersonal information– Petco Animal Supplies Inc.Petco Animal Supplies Inc. (November 11, 2004)(November 11, 2004)
Failed to use reasonable and appropriate measures to protect customer’s Failed to use reasonable and appropriate measures to protect customer’s personal informationpersonal information
– United States of America vs. Choicepoint, Inc.United States of America vs. Choicepoint, Inc., , 1 06-CV-0198, Dist Ct, Northern District of Georgia (Other counts under FRCA/FACTA were also included)
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 1313
FTC Complaints and FTC Complaints and Actions in the Last Actions in the Last YearYear Failure to provide reasonable and appropriate security for Failure to provide reasonable and appropriate security for
PIPI– In the Matter of Vision I Props. LLCIn the Matter of Vision I Props. LLC, , FTC, No. 042-3068, 3/10/2005FTC, No. 042-3068, 3/10/2005– In the Matter of DSW, Inc.In the Matter of DSW, Inc., FTC, No. 053-3096, 3/14/2005, FTC, No. 053-3096, 3/14/2005– In the matter of BJ’s Wholesale ClubIn the matter of BJ’s Wholesale Club, FTC No. 042-3160, 9/23/2005, FTC No. 042-3160, 9/23/2005
Violations of GLBA Safeguards Rule (FTC)Violations of GLBA Safeguards Rule (FTC)– In re Sunbelt Lending ServicesIn re Sunbelt Lending Services, FTC, File No. 042-3153, 11/16/04), FTC, File No. 042-3153, 11/16/04)– In the Matter of Nationwide Mortgage Group, Inc., and John D. In the Matter of Nationwide Mortgage Group, Inc., and John D.
EubankEubank, FTC File No. 042-3104 4/15/05, FTC File No. 042-3104 4/15/05– In re Superior Mortgage Corp.,In re Superior Mortgage Corp., FTC, File No. 052 3136, 9/28/05 FTC, File No. 052 3136, 9/28/05
SpywareSpyware– FTC v. Odysseus Mktg. Inc.FTC v. Odysseus Mktg. Inc., , D.N.H., 1:05-cv-00330-SM, D.N.H., 1:05-cv-00330-SM,
(Complaint 9/21/05).(Complaint 9/21/05). The FTC claimed that since September 2003, Odysseus Marketing Inc. The FTC claimed that since September 2003, Odysseus Marketing Inc.
and its principal, Walter Rines, have advertised software that purportedly and its principal, Walter Rines, have advertised software that purportedly would allow consumers to engage in anonymous peer-to-peer file would allow consumers to engage in anonymous peer-to-peer file sharing. The agency argued the claims were false and misleading sharing. The agency argued the claims were false and misleading
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 1414
State Breach Notice State Breach Notice LawsLaws
The State Breach Notice Laws, generally: The State Breach Notice Laws, generally: – apply only to breaches of unencrypted personal information, apply only to breaches of unencrypted personal information,
and require written notification after a breach is discovered; and require written notification after a breach is discovered; – at a minimum, define "personal information"--the breach of at a minimum, define "personal information"--the breach of
which triggers the need to notify consumers--as a name in which triggers the need to notify consumers--as a name in combination with a Social Security number, driver's license or combination with a Social Security number, driver's license or state identification number, or financial account or debit card state identification number, or financial account or debit card number plus an access code; number plus an access code;
– give their state attorneys general enforcement authority; give their state attorneys general enforcement authority; – except Illinois, allow for a delay in notification if a disclosure except Illinois, allow for a delay in notification if a disclosure
would compromise a law enforcement investigation; would compromise a law enforcement investigation; – allow substitute notice to affected individuals via allow substitute notice to affected individuals via
announcements in statewide media and on a Web site if more announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification than 500,000 people are affected or the cost of notification would exceed $250,000--Rhode Island and Delaware set lower would exceed $250,000--Rhode Island and Delaware set lower thresholds; and thresholds; and
– provide a safe harbor for covered entities that maintain provide a safe harbor for covered entities that maintain internal data security policies that include breach notification internal data security policies that include breach notification provisions consistent with state law.provisions consistent with state law.
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 1515
State Breach Notification State Breach Notification LawsLaws Most of the laws require notification if there Most of the laws require notification if there
has been, or there is a reasonable basis to has been, or there is a reasonable basis to believe that, unauthorized access that believe that, unauthorized access that compromises personal data has occurred. compromises personal data has occurred.
However, as noted in materials, nine states However, as noted in materials, nine states have some form of harm or risk threshold, have some form of harm or risk threshold, under which entities need not notify under which entities need not notify individuals of a breach if an investigation by individuals of a breach if an investigation by the covered entity (sometimes in conjunction the covered entity (sometimes in conjunction with law enforcement) finds no significant with law enforcement) finds no significant possibility that the breached data will be possibility that the breached data will be misused to do harm to the individual misused to do harm to the individual
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 1616
California Passed 1California Passed 1stst Law on Law on Notice of Security Breach - SB Notice of Security Breach - SB 13861386 Applies to all companies in California
or that do business in California Companies must disclose any security
breaches to each affected California customer whose Personal Information has been compromised. – Personal information (notice triggering
information) is individual’s first name or first initial, combined with the last name, plus any one of the following identifiers: (1) Social Security number, (2) driver’s license number or California Identification Card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to the account.
Failure to comply may result in lawsuits and damages.
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 1717
Since Then…State Since Then…State Breach Notice Laws Breach Notice Laws ProliferateProliferate
Arkansas (SB 1167)Arkansas (SB 1167) California (SB 1386)California (SB 1386) Connecticut (SB 650)Connecticut (SB 650) Delaware (HB 116)Delaware (HB 116) Florida (HB 481)Florida (HB 481) Georgia (SB 230)Georgia (SB 230) Illinois (SB 1633)Illinois (SB 1633) Indiana (SB 503, HB 1101)Indiana (SB 503, HB 1101) Louisiana (SB 205)Louisiana (SB 205) Maine (LD 1671)Maine (LD 1671) Minnesota (HF 2121, HF Minnesota (HF 2121, HF
225)225) Montana (HB 732)Montana (HB 732)
Nevada (SB 347, AB 334)Nevada (SB 347, AB 334) New Hampshire (HB New Hampshire (HB
1660)1660) New Jersey (A 4001)New Jersey (A 4001) New York (SB 347)New York (SB 347) North Carolina (SB 1048)North Carolina (SB 1048) Ohio (Subst. HB 104)Ohio (Subst. HB 104) North Dakota (SB 2251)North Dakota (SB 2251) Rhode Island (H 6191)Rhode Island (H 6191) Tennessee (SB 2220)Tennessee (SB 2220) Texas (SB 122)Texas (SB 122) Utah (SB 69)Utah (SB 69) Washington (SB 6043)Washington (SB 6043) Wisconsin (SB 164)Wisconsin (SB 164)
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 1818
Federal Efforts – Federal Efforts – Notice of Security Notice of Security BreachBreach Over 24 laws introduced in the past two Over 24 laws introduced in the past two
years, e.g.,years, e.g.,– Data Accountability and Trust Act (DATA) Data Accountability and Trust Act (DATA)
(HR 4127) (“reasonable risk”)(HR 4127) (“reasonable risk”)– (HR 3997) (no state Attorneys General auth)(HR 3997) (no state Attorneys General auth)
All would preempt state lawAll would preempt state law Differ in terms of safe harbor, Differ in terms of safe harbor,
exemptions, penalties, notice exemptions, penalties, notice proceduresprocedures
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 1919
SB 1386 LitigationSB 1386 Litigation Parke v. CardSystems Solutions IncParke v. CardSystems Solutions Inc., ., Cal. Cal.
Super. Ct., No. CGC-05-442624.Super. Ct., No. CGC-05-442624.– June 17 discovery that hackers broke into a June 17 discovery that hackers broke into a
CardSystems computer system that held private CardSystems computer system that held private financial data on more than financial data on more than 40 million credit cards40 million credit cards issued by MasterCard and other major credit card issued by MasterCard and other major credit card companiescompanies
– Class action filed June 27 allege that MasterCard, Visa Class action filed June 27 allege that MasterCard, Visa International and CardSystems failed to protect International and CardSystems failed to protect consumers' privacy rights and notify consumers in a consumers' privacy rights and notify consumers in a timely manner of the breach timely manner of the breach
– Complaint was amended July 6 to add a prayer for Complaint was amended July 6 to add a prayer for damages, as well as allegations of negligence and damages, as well as allegations of negligence and alleged violations of California Civil Code Section alleged violations of California Civil Code Section 1798.82, popularly known as S.B. 1386 1798.82, popularly known as S.B. 1386
– Show cause order issued 8/1/05 why preliminary Show cause order issued 8/1/05 why preliminary injunction should not be granted to force CardSystems injunction should not be granted to force CardSystems to provide notice to all Californiansto provide notice to all Californians
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 2020
California raises the Bar: AB 1950 California raises the Bar: AB 1950 New Information Security StandardNew Information Security Standard
Signed into law on September 29, 2004. Signed into law on September 29, 2004. Creates an information security standard for non-medical and Creates an information security standard for non-medical and
non-financial entities that have personal information about their non-financial entities that have personal information about their customers customers – Exemption financial institutions, or entities governed by HIPAA Exemption financial institutions, or entities governed by HIPAA
privacy rulesprivacy rules– Does not define what "reasonable security measures" are other Does not define what "reasonable security measures" are other
than "procedures and practices appropriate to the nature of than "procedures and practices appropriate to the nature of information to protect the personal information from information to protect the personal information from unauthorized access, destruction, use, modification or disclosureunauthorized access, destruction, use, modification or disclosure
– Covers "personal information" that is, a name, Social Security Covers "personal information" that is, a name, Social Security number, driver's license number, and California identification number, driver's license number, and California identification number and account, credit, or debit card numbers in number and account, credit, or debit card numbers in combination with passwords, security, or access codes.combination with passwords, security, or access codes.
Medical information is also covered by the law, and is defined as "any Medical information is also covered by the law, and is defined as "any individually identifiable information, in electronic or physical form, individually identifiable information, in electronic or physical form, regarding the individual's medical history or medical treatment or regarding the individual's medical history or medical treatment or diagnosis by a health care professional.diagnosis by a health care professional.
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 2121
Security and Privacy Security and Privacy Compliance PlanCompliance Plan
Overview of the “Unified Overview of the “Unified Approach” Approach”
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 2222
Unified Approach To Unified Approach To SecuritySecurity
Security Practice ISO 17799 NIST800 Series
HIPAA Sec. Standards
GLBA California Guidelines(SB 1386)
Administrative Safeguards
Security Management Process
Assigned Security Responsibility
Workforce Security Management of Information Access
Security Incident Procedures
Contingency Planning (Generally)
Review/Evaluation X X
Contracts Security Awareness and Training
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 2323
Unified Approach to SecurityUnified Approach to SecuritySecurity Practice ISO 17799 NIST
800 SeriesHIPAA GLBA California
Guidelines(SB 1386)
Physical Safeguards
Facility Access Controls (Generally)
Workstation Use and Security
(Generally)
Device and Media Controls
Technical Safeguards
Access Control
Audit Controls
Integrity Controls
Person or Entity Authentication
Transmission Security
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 2424
Unified Approach to Unified Approach to Privacy Privacy Common Criteria OECD Guidelines GLBA Safe Harbor
PrinciplesHIPAA
Notice Openness Notification Notice Notice of Privacy Practices
Collection Collection LimitationPurpose Specification
Information Collection Limitation
Collection Limitation
Marketing and fundraising; Minimum Necessary Rule
Use and Retention Use Limitation Uses Limitation Onward Transfer Minimum Necessary Rule
Choice/Consent Choice Choice Individual Rights,
Security Safeguards Safeguards Security Safeguards
Third Party Disclosures
Accountability Regulatory and Contractual
Contractual Contractual, (Min. Necessary Rule)
Quality Data Quality Integrity Data Integrity Integrity (Security Regs.)
Access Individual Participation
Access/Correction Access Access/Correction
Monitoring and Enforcement
Enforcement Enforcement Enforcement Provisions
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 2525
Attorn
ey-C
lient P
rivile
ge
Complia
nce P
rogra
m In
tegra
tion
Training & Change Management
IdentifyApplicable
Laws
Risk Analysis and Report
Implementation
Compliance
LegalEvaluation
Protecting Information/Achieving Compliance
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 2626
Fundamental ProcessFundamental Process Identify assets to be protectedIdentify assets to be protected Conduct risk assessmentConduct risk assessment Identify and select reasonable and Identify and select reasonable and
appropriate controlsappropriate controls Implement controlsImplement controls Training and awarenessTraining and awareness Review (audit) effectiveness and make Review (audit) effectiveness and make
necessary adjustmentsnecessary adjustments
Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 2727
Contact InformationContact Information
Telephone: (202) 251-7600Facsimile: (703) 997.5633Email: [email protected]
M. Peter Adler
2103 Windsor RoadAlexandria, VA 22307
Adler InfoSec & Privacy Group LLC