california data privacy laws: is compliance good enough?

California Data Privacy Laws: Is Compliance Good Enough?

May 2010

Chris MerrittDirector Solution Marketing

Today’s Agenda

Data Protection in California … and Beyond

Achieving Compliance … or Security?

How to … Move Beyond Compliance

How Lumension Helps

Data Protection in California… and Beyond

2009 Fraud & ID Theft Data

4

Source: FTC Consumer Sentinel Network (CSN) 2009 Data Book, Feb 2010Source: FTC Consumer Sentinel Network (CSN) 2009 Data Book, Feb 2010

2009 Fraud & ID Theft in California

5

Total Number of Identity Theft, Fraud and Other Consumer Complaints = 165,033Total Number of Identity Theft, Fraud and Other Consumer Complaints = 165,033

California Data Protection Laws

Medical Information

• AB 1298 (January 2008)

• Expands …» application of the Confidentiality of

Medical Information Act (CMIA) to any business handle medical information

» definition of PII to include medical information

• Penalties include …» individual – $1,000 per violation, plus

damages and court costs» civil – from $1,000 to $250,000 per

violation» considered a misdemeanor

• Example …» Nadya Suleman (aka ‘Octomom’) case

6

CA Civil Code

§§ 56.06CA Civil Code

§§ 56.06


Consumer Credit Reporting Agency

• SB 168 (Jul 2002)

• Requirements» Allows consumers to ask for a “credit

freeze”» Prohibits exposing SSNs (print, clear-

text transmission, etc.) or requiring SSNs for identification

• Augments the rest of §1785, covering Credit Reporting / Usage …

» address matching» verification of no ID Theft / Fraud» cannot sell debt in cases of ID Theft» fines for ID Theft / Fraud» and much more

7

CA Civil Code



§§ 1785.11.2CA Civil Code

§§ 1785.11.2


8

CA Civil Code








§§ 1798.82

Protecting PII (State Agencies and Businesses)

• SB 1386 (Jul 2003)

• Requirements» Covers any CA business or businesses with CA customers, and their vendors» Covers PII (first / last name, address, tel. no., acct. no., PIN, SSN, etc.)» Requires notification if there was “or is reasonably believed to have been” a breach,

unless data are encrypted (with some caveats)

First State Data Breach Notification law in US, and model for many that followed

Other State Data Protection Laws

9

CA Civil Code








§§ 1798.82

Massachusetts

201 CMR 17Massachusetts

201 CMR 17Nevada

Chap. 603ANevada

Chap. 603A

Massachusetts –• covers all businesses with MA

customers• requires comprehensive written

security plan• requires encryption, firewall,

patching and anti-malware

Massachusetts –• covers all businesses with MA

customers• requires comprehensive written

security plan• requires encryption, firewall,

patching and anti-malware

Nevada –• codifies PCI-DSS• provides “safe harbor” if data are

encrypted or if compliant w/ PCI

Nevada –• codifies PCI-DSS• provides “safe harbor” if data are

encrypted or if compliant w/ PCI

Other Federal Data Protection Laws

10

CA Civil Code








§§ 1798.82

Massachusetts


201 CMR 17Nevada

Chap. 603ANevada

Chap. 603ASarbanes-Oxley

(SOX)Sarbanes-Oxley

(SOX)

Gramm-Leach-BlileyAct (GLBA)


FACTARed Flag Rules

FACTARed Flag Rules BSA / AMLABSA / AMLA

HIPAAHITECHHIPAA

HITECH

Other Data Protection Regulations

11

CA Civil Code








§§ 1798.82

Massachusetts


201 CMR 17Nevada

Chap. 603ANevada


(SOX)Sarbanes-Oxley

(SOX)



FACTARed Flag Rules


HIPAAHITECHHIPAA

HITECH

PCI-DSSPCI-DSS

NERCNERC

International Data Protection Laws

12

CA Civil Code








§§ 1798.82

Massachusetts


201 CMR 17Nevada

Chap. 603ANevada


(SOX)Sarbanes-Oxley

(SOX)



FACTARed Flag Rules


HIPAAHITECHHIPAA

HITECH

PCI-DSSPCI-DSS

NERCNERCUK Data

Protection ActUK Data

Protection Act EU DirectivesEU Directives Basel IIBasel II

Proposed Federal Data Protection Laws

13

CA Civil Code








§§ 1798.82

Massachusetts


201 CMR 17Nevada

Chap. 603ANevada


(SOX)Sarbanes-Oxley

(SOX)



FACTARed Flag Rules


HIPAAHITECHHIPAA

HITECH

PCI-DSSPCI-DSS

NERCNERCUK Data

Protection ActUK Data

Protection Act EU DirectivesEU Directives Basel IIBasel II

Personal Data Privacy and Security Act

of 2009 (S.1490)

Personal Data Privacy and Security Act

of 2009 (S.1490)

Data Breach Notification Act (S.139)

Data Breach Notification Act (S.139)

Data Accountability and Trust Act

(H.2221)

Data Accountability and Trust Act

(H.2221)

Achieving Compliance… or Security?

Achieving Compliance

• Focus on compliance» Pros – lowered liability, improved

operations, meeting letter of the law» Cons – overlapping requirements,

complicated, always chasing new rules

15

How to deal with this crazy quilt of statutes and regulations?How to deal with this crazy quilt of statutes and regulations?

Achieving Compliance … or Security




• But … compliance ≠ security!

16


Achieving Compliance … or Security




• But … compliance ≠ security!

• Need to move beyond mere compliance … to true security

» Cons – more upfront effort» Pros – legal defensibility, better

alignment w/ threats, better protection of all valuable data

17


How to... Move Beyond Compliance

Four Steps to Security

19

Policy Process

TechnologyPeople

Technology – Defense in Depth

20

3P’s of Security

Policy …• needs to be …

» written down and available» monitored and adapted as needed» end-to-end (data, users)» enforceable / enforced

Process …• reduces workload and eliminates gaps• needs to enable productivity, but

provide security

People …• are your perimeter• need continuous education / training

21

How Lumension Helps

How Lumension Helps

Lumension helps you» Identify data for protection» Protect data from theft» Demonstrate compliance

Lumension solutions» Protect against data theft and data loss» Control the use of applications and devices» Enforce encryption when data is copied to removable media» Automate the collection, analysis, and delivery of patches and

updates» Audit the network for compliance with Data Protection regulations in

California and beyond

23

How Lumension Helps – Encryption

External Device Encryption» Enforce encryption of information transferred to …

• Removable devices (ext. HDs, USB sticks, etc.)• Removable media (CDs, DVDs)

» Control and manage device access through all ports • Physical interfaces such as USB, FireWire, PCMCIA, etc.• Wireless interfaces such as WiFi, Bluetooth, IrDA, etc.

» Control and monitor all devices in network environment• Those connected now or ever• Limit access by user, machine, time, status

» Deliver detailed forensics of device usage and data transfer• Log file metadata (name, type, size, etc.)• Retain copy of entire file

24

Password Protection» Agent-based inventory capability

validates password complexity» Network-based scan detects

password complexity policy option

» Force use of complex passwords» Prevent users from accessing

encrypted devices/media after five incorrect password attempts

25

How Lumension Helps – Password Control

How Lumension Helps – System Security

Comprehensive Endpoint Protection» Lumension AntiVirus provides protection against malware

• Traditional blacklisting• Behavioral analysis capabilities

» Lumension Patch and Remediation provides automated patching• Comprehensive vulnerability assessment• Rapid, accurate and secure patch management• Ensures systems are up-to-date and free from vulnerabilities

» Lumension Application Control guards against unwanted change• Prevents unauthorized / unwanted apps from executing, including malware• Maintain network assets in known state

» Lumension Device Control provides endpoint data protection• Protects against data leakage (theft / loss)• Forces encryption of data transferred to removable devices / media• Prevents malware introduction via removable devices / media

26

How Lumension Helps – Show Compliance

Compliance & IT Risk» Demonstrate compliance to

Data Protection regulations in California and beyond

» Use Lumension Risk Manager to …

• Identify key assets• Assess compliance level of these

assets• Remediate assets to bring them

into compliance• Manage key assets on a

consistent basis

27

2828

Integrated Risk ManagementCompliance Business ImpactRisk ManagementOperational Security

IT Assets Devices Applications Business SubjectsPeople

Integrated Risk Management Console

Co

ntr

ol

Co

nn

ec

tors

LumensionVulnerabilityManagement

LumensionData

Protection

LumensionEndpoint Protection

ConnectorDevelopment

Kit

3rd PartyConnectors

Bu

sin

es

s

Fra

me

wo

rkR

isk

&

Co

mp

lia

nc

e

LumensionSurvey

WorkflowEngine

Lumension Enables Organizations to …» Stay ahead of remote threats» Streamline security and operational management across

heterogeneous environments» Gain visibility into real-time patch status and overall security posture » Save time and cost thru automation» Elevate security posture with full visibility into and control over

endpoints» Address Data Protection regulations in California and beyond with

confidence

29

Summary

Questions?

Resources and Tools

• Whitepapers» Ogren Group Security Analysis Case Study -

Proactively Managing Endpoint Risk» Three Ways to Prevent USB Insecurity In Your

Enterprise» and a host of other Data Protection whitepapers

• Other Resources» Podcasts, Videos, Webcasts» On-Demand Demos» eBooks

• Premium Security Tools» Scanners

• Product Software Evaluations» Virtual Environment» Full Software Download

31

Global Headquarters8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

[email protected]

blog.lumension.com

mailto:[email protected]

http://blog.lumension.com/

california data privacy laws: is compliance good enough?

Technology

ca business

ca customers

court costs civil

data book

california data privacy

todays agenda data protection

fraud id theft data

id theft fraud