Adler InfoSec & Privacy Group LLC Unified Approach to Security and Privacy M. Peter Adler JD, LLM,...

Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC

Unified Approach to Unified Approach to Security and PrivacySecurity and Privacy

M. Peter Adler JD, LLM, CISSP, M. Peter Adler JD, LLM, CISSP, CIPPCIPPAdler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC

Privacy in the Electronic RealmPrivacy in the Electronic Realm

April 18, 2006April 18, 2006

Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC 22

AgendaAgenda

Problem:Problem: Sectoral/State Approach Sectoral/State Approach to Security and Privacy to Security and Privacy

– Statement of the ProblemStatement of the Problem– US Federal Laws and Intended SectorsUS Federal Laws and Intended Sectors– State Laws and Intended SectorsState Laws and Intended Sectors– Private Contractual Standards and Private Contractual Standards and

Intended SectorsIntended Sectors Solution:Solution: Unified Approach to Unified Approach to

Security and Privacy ComplianceSecurity and Privacy Compliance


US Safe Harbor

Sarbanes Oxley(SOX)

StateLaw

FTCGLBA

US Sectoral Approach Has Led US Sectoral Approach Has Led to Numerous Laws and to Numerous Laws and

RegulationsRegulations

HIPAA

Other Important Factors• The Payment Card Industry Data Security Standard • International Standards (e.g., NIST and ISO 17799)• Infrastructure Protection • Identify Theft Prevention• Corporate Governance and Reporting


……Have Created a “Silo Have Created a “Silo Approach” to Approach” to ComplianceCompliance

GLBA Finance Department (CFO) ComplianceProgram 1

HIPAA Human Resources/Health Care ComplianceProgram 2

State Law Compliance ComplianceProgram 3

HR/International OpsComplianceProgram 4Int'l Law


The Silo Problem:The Silo Problem: Multiple Compliance EffortsMultiple Compliance Efforts

– Costs more moneyCosts more money Multiple consultants each offering expertise in Multiple consultants each offering expertise in

specific areas (e.g., HIPAA, GLBA, EU Data specific areas (e.g., HIPAA, GLBA, EU Data Directive, California Law)Directive, California Law)

So multiple efforts are undertaken when So multiple efforts are undertaken when essentially a single effort would suffice essentially a single effort would suffice

– Undermine overall compliance Undermine overall compliance effectivenesseffectiveness Redundancy, inconsistency, lack of centralized Redundancy, inconsistency, lack of centralized

oversightoversight

GLBA Consultants

HIPAA Consultants

Int’l Consultants State Law Consultants


Int’l Law

International Operations

A Unified Approach to A Unified Approach to ComplianceCompliance

HIPAA

A Unified Approach addresses all of the regulatory regimes with one comprehensive approach to look at applicable security, privacy and other regulatory requirements.

GLBAOther FTC

Safe Harbor

Adler InfoSec & Privacy Group LLCAdler InfoSec & Privacy Group LLC

TechnicalSecurity

Business Associate Management

AdministrativeSecurity

Procedures, Legal Compliance

PhysicalSecurity

HIPAA COMPLIANCE

HIPAA HIPAA Requirements/SecurityRequirements/Security

To guard the confidentiality, integrity and availability (CIA) of health information


FTC Authority to FTC Authority to Investigate Investigate

FTC has broad authority to investigate FTC has broad authority to investigate and bring actionsand bring actions

May work with company to resolve the May work with company to resolve the mattermatter

Where a pattern of non-compliance or Where a pattern of non-compliance or egregious behaviors are involved FTC egregious behaviors are involved FTC will bring an enforcement actionwill bring an enforcement action

These actions usually result in These actions usually result in settlements through consent decrees settlements through consent decrees that include an FTC mandated security that include an FTC mandated security and privacy programand privacy program


Limitation of AuthorityLimitation of Authority

FTC cannot regulate industry that are FTC cannot regulate industry that are otherwise regulated (e.g., financial otherwise regulated (e.g., financial industries, common carriers)industries, common carriers)

FTC may nevertheless work closely FTC may nevertheless work closely with these other industrieswith these other industries

FTC may share enforcement authority FTC may share enforcement authority with other agencies/authoritieswith other agencies/authorities


FTC Security and FTC Security and Privacy Consent Privacy Consent DecreesDecrees A prohibition or misrepresentation of A prohibition or misrepresentation of

security and privacy program protectionssecurity and privacy program protections FinesFines A requirement to establish and maintain A requirement to establish and maintain

a security program, includinga security program, including– Training and proper oversight of employees Training and proper oversight of employees

and agentsand agents– Identification of reasonably foreseeable risksIdentification of reasonably foreseeable risks– Design and implementation of reasonable and Design and implementation of reasonable and

appropriate safeguardsappropriate safeguards– Regular evaluation of the programRegular evaluation of the program


FTC Security and Privacy FTC Security and Privacy Consent Decrees (cont.)Consent Decrees (cont.) An Obligation to have the security and An Obligation to have the security and

privacy program reviewed annually by an privacy program reviewed annually by an independent qualified third partyindependent qualified third party

A requirement to provide certain documents A requirement to provide certain documents related to the representations made about related to the representations made about the company’s programs and compliance the company’s programs and compliance upon request by the FTCupon request by the FTC

An Obligation to notify the FTC of any change An Obligation to notify the FTC of any change which may affect the company’s compliancewhich may affect the company’s compliance

A final written report of compliance upon A final written report of compliance upon request by the FTCrequest by the FTC


Previous FTC Actions resulting in Security Previous FTC Actions resulting in Security or Privacy Programsor Privacy Programs

Section 5 Violations for Erroneous Representations in Posted Section 5 Violations for Erroneous Representations in Posted Privacy PracticesPrivacy Practices

FTC alleged the companies involved promised they would take FTC alleged the companies involved promised they would take reasonable steps to protect consumers' sensitive information, but reasonable steps to protect consumers' sensitive information, but failed to do so failed to do so – Eli-Lilly (January 18, 2002)Eli-Lilly (January 18, 2002)

Information about Prozac usersInformation about Prozac users– Microsoft (Aug 8, 2002)Microsoft (Aug 8, 2002)

Technology not as secure as claimed, but no security breach uncoveredTechnology not as secure as claimed, but no security breach uncovered– Tower Records (April 21, 2004)Tower Records (April 21, 2004)

Security flaw in the company’s web site exposing customer’s personal Security flaw in the company’s web site exposing customer’s personal informationinformation

– Guess? (June 18, 2003)Guess? (June 18, 2003) Failed to use reasonable and appropriate measures to protect customer’s Failed to use reasonable and appropriate measures to protect customer’s

personal informationpersonal information– Petco Animal Supplies Inc.Petco Animal Supplies Inc. (November 11, 2004)(November 11, 2004)

Failed to use reasonable and appropriate measures to protect customer’s Failed to use reasonable and appropriate measures to protect customer’s personal informationpersonal information

– United States of America vs. Choicepoint, Inc.United States of America vs. Choicepoint, Inc., , 1 06-CV-0198, Dist Ct, Northern District of Georgia (Other counts under FRCA/FACTA were also included)


FTC Complaints and FTC Complaints and Actions in the Last Actions in the Last YearYear Failure to provide reasonable and appropriate security for Failure to provide reasonable and appropriate security for

PIPI– In the Matter of Vision I Props. LLCIn the Matter of Vision I Props. LLC, , FTC, No. 042-3068, 3/10/2005FTC, No. 042-3068, 3/10/2005– In the Matter of DSW, Inc.In the Matter of DSW, Inc., FTC, No. 053-3096, 3/14/2005, FTC, No. 053-3096, 3/14/2005– In the matter of BJ’s Wholesale ClubIn the matter of BJ’s Wholesale Club, FTC No. 042-3160, 9/23/2005, FTC No. 042-3160, 9/23/2005

Violations of GLBA Safeguards Rule (FTC)Violations of GLBA Safeguards Rule (FTC)– In re Sunbelt Lending ServicesIn re Sunbelt Lending Services, FTC, File No. 042-3153, 11/16/04), FTC, File No. 042-3153, 11/16/04)– In the Matter of Nationwide Mortgage Group, Inc., and John D. In the Matter of Nationwide Mortgage Group, Inc., and John D.

EubankEubank, FTC File No. 042-3104 4/15/05, FTC File No. 042-3104 4/15/05– In re Superior Mortgage Corp.,In re Superior Mortgage Corp., FTC, File No. 052 3136, 9/28/05 FTC, File No. 052 3136, 9/28/05

SpywareSpyware– FTC v. Odysseus Mktg. Inc.FTC v. Odysseus Mktg. Inc., , D.N.H., 1:05-cv-00330-SM, D.N.H., 1:05-cv-00330-SM,

(Complaint 9/21/05).(Complaint 9/21/05). The FTC claimed that since September 2003, Odysseus Marketing Inc. The FTC claimed that since September 2003, Odysseus Marketing Inc.

and its principal, Walter Rines, have advertised software that purportedly and its principal, Walter Rines, have advertised software that purportedly would allow consumers to engage in anonymous peer-to-peer file would allow consumers to engage in anonymous peer-to-peer file sharing. The agency argued the claims were false and misleading sharing. The agency argued the claims were false and misleading


State Breach Notice State Breach Notice LawsLaws

The State Breach Notice Laws, generally: The State Breach Notice Laws, generally: – apply only to breaches of unencrypted personal information, apply only to breaches of unencrypted personal information,

and require written notification after a breach is discovered; and require written notification after a breach is discovered; – at a minimum, define "personal information"--the breach of at a minimum, define "personal information"--the breach of

which triggers the need to notify consumers--as a name in which triggers the need to notify consumers--as a name in combination with a Social Security number, driver's license or combination with a Social Security number, driver's license or state identification number, or financial account or debit card state identification number, or financial account or debit card number plus an access code; number plus an access code;

– give their state attorneys general enforcement authority; give their state attorneys general enforcement authority; – except Illinois, allow for a delay in notification if a disclosure except Illinois, allow for a delay in notification if a disclosure

would compromise a law enforcement investigation; would compromise a law enforcement investigation; – allow substitute notice to affected individuals via allow substitute notice to affected individuals via

announcements in statewide media and on a Web site if more announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification than 500,000 people are affected or the cost of notification would exceed $250,000--Rhode Island and Delaware set lower would exceed $250,000--Rhode Island and Delaware set lower thresholds; and thresholds; and

– provide a safe harbor for covered entities that maintain provide a safe harbor for covered entities that maintain internal data security policies that include breach notification internal data security policies that include breach notification provisions consistent with state law.provisions consistent with state law.


State Breach Notification State Breach Notification LawsLaws Most of the laws require notification if there Most of the laws require notification if there

has been, or there is a reasonable basis to has been, or there is a reasonable basis to believe that, unauthorized access that believe that, unauthorized access that compromises personal data has occurred. compromises personal data has occurred.

However, as noted in materials, nine states However, as noted in materials, nine states have some form of harm or risk threshold, have some form of harm or risk threshold, under which entities need not notify under which entities need not notify individuals of a breach if an investigation by individuals of a breach if an investigation by the covered entity (sometimes in conjunction the covered entity (sometimes in conjunction with law enforcement) finds no significant with law enforcement) finds no significant possibility that the breached data will be possibility that the breached data will be misused to do harm to the individual misused to do harm to the individual


California Passed 1California Passed 1stst Law on Law on Notice of Security Breach - SB Notice of Security Breach - SB 13861386 Applies to all companies in California

or that do business in California Companies must disclose any security

breaches to each affected California customer whose Personal Information has been compromised. – Personal information (notice triggering

information) is individual’s first name or first initial, combined with the last name, plus any one of the following identifiers: (1) Social Security number, (2) driver’s license number or California Identification Card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to the account.

Failure to comply may result in lawsuits and damages.


Since Then…State Since Then…State Breach Notice Laws Breach Notice Laws ProliferateProliferate

Arkansas (SB 1167)Arkansas (SB 1167) California (SB 1386)California (SB 1386) Connecticut (SB 650)Connecticut (SB 650) Delaware (HB 116)Delaware (HB 116) Florida (HB 481)Florida (HB 481) Georgia (SB 230)Georgia (SB 230) Illinois (SB 1633)Illinois (SB 1633) Indiana (SB 503, HB 1101)Indiana (SB 503, HB 1101) Louisiana (SB 205)Louisiana (SB 205) Maine (LD 1671)Maine (LD 1671) Minnesota (HF 2121, HF Minnesota (HF 2121, HF

225)225) Montana (HB 732)Montana (HB 732)

Nevada (SB 347, AB 334)Nevada (SB 347, AB 334) New Hampshire (HB New Hampshire (HB

1660)1660) New Jersey (A 4001)New Jersey (A 4001) New York (SB 347)New York (SB 347) North Carolina (SB 1048)North Carolina (SB 1048) Ohio (Subst. HB 104)Ohio (Subst. HB 104) North Dakota (SB 2251)North Dakota (SB 2251) Rhode Island (H 6191)Rhode Island (H 6191) Tennessee (SB 2220)Tennessee (SB 2220) Texas (SB 122)Texas (SB 122) Utah (SB 69)Utah (SB 69) Washington (SB 6043)Washington (SB 6043) Wisconsin (SB 164)Wisconsin (SB 164)


Federal Efforts – Federal Efforts – Notice of Security Notice of Security BreachBreach Over 24 laws introduced in the past two Over 24 laws introduced in the past two

years, e.g.,years, e.g.,– Data Accountability and Trust Act (DATA) Data Accountability and Trust Act (DATA)

(HR 4127) (“reasonable risk”)(HR 4127) (“reasonable risk”)– (HR 3997) (no state Attorneys General auth)(HR 3997) (no state Attorneys General auth)

All would preempt state lawAll would preempt state law Differ in terms of safe harbor, Differ in terms of safe harbor,

exemptions, penalties, notice exemptions, penalties, notice proceduresprocedures


SB 1386 LitigationSB 1386 Litigation Parke v. CardSystems Solutions IncParke v. CardSystems Solutions Inc., ., Cal. Cal.

Super. Ct., No. CGC-05-442624.Super. Ct., No. CGC-05-442624.– June 17 discovery that hackers broke into a June 17 discovery that hackers broke into a

CardSystems computer system that held private CardSystems computer system that held private financial data on more than financial data on more than 40 million credit cards40 million credit cards issued by MasterCard and other major credit card issued by MasterCard and other major credit card companiescompanies

– Class action filed June 27 allege that MasterCard, Visa Class action filed June 27 allege that MasterCard, Visa International and CardSystems failed to protect International and CardSystems failed to protect consumers' privacy rights and notify consumers in a consumers' privacy rights and notify consumers in a timely manner of the breach timely manner of the breach

– Complaint was amended July 6 to add a prayer for Complaint was amended July 6 to add a prayer for damages, as well as allegations of negligence and damages, as well as allegations of negligence and alleged violations of California Civil Code Section alleged violations of California Civil Code Section 1798.82, popularly known as S.B. 1386 1798.82, popularly known as S.B. 1386

– Show cause order issued 8/1/05 why preliminary Show cause order issued 8/1/05 why preliminary injunction should not be granted to force CardSystems injunction should not be granted to force CardSystems to provide notice to all Californiansto provide notice to all Californians


California raises the Bar: AB 1950 California raises the Bar: AB 1950 New Information Security StandardNew Information Security Standard

Signed into law on September 29, 2004. Signed into law on September 29, 2004. Creates an information security standard for non-medical and Creates an information security standard for non-medical and

non-financial entities that have personal information about their non-financial entities that have personal information about their customers customers – Exemption financial institutions, or entities governed by HIPAA Exemption financial institutions, or entities governed by HIPAA

privacy rulesprivacy rules– Does not define what "reasonable security measures" are other Does not define what "reasonable security measures" are other

than "procedures and practices appropriate to the nature of than "procedures and practices appropriate to the nature of information to protect the personal information from information to protect the personal information from unauthorized access, destruction, use, modification or disclosureunauthorized access, destruction, use, modification or disclosure

– Covers "personal information" that is, a name, Social Security Covers "personal information" that is, a name, Social Security number, driver's license number, and California identification number, driver's license number, and California identification number and account, credit, or debit card numbers in number and account, credit, or debit card numbers in combination with passwords, security, or access codes.combination with passwords, security, or access codes.

Medical information is also covered by the law, and is defined as "any Medical information is also covered by the law, and is defined as "any individually identifiable information, in electronic or physical form, individually identifiable information, in electronic or physical form, regarding the individual's medical history or medical treatment or regarding the individual's medical history or medical treatment or diagnosis by a health care professional.diagnosis by a health care professional.


Security and Privacy Security and Privacy Compliance PlanCompliance Plan

Overview of the “Unified Overview of the “Unified Approach” Approach”


Unified Approach To Unified Approach To SecuritySecurity

Security Practice ISO 17799 NIST800 Series

HIPAA Sec. Standards

GLBA California Guidelines(SB 1386)

Administrative Safeguards

Security Management Process

Assigned Security Responsibility

Workforce Security Management of Information Access

Security Incident Procedures

Contingency Planning (Generally)

Review/Evaluation X X

Contracts Security Awareness and Training


Unified Approach to SecurityUnified Approach to SecuritySecurity Practice ISO 17799 NIST

800 SeriesHIPAA GLBA California

Guidelines(SB 1386)

Physical Safeguards

Facility Access Controls (Generally)

Workstation Use and Security

(Generally)

Device and Media Controls

Technical Safeguards

Access Control

Audit Controls

Integrity Controls

Person or Entity Authentication

Transmission Security


Unified Approach to Unified Approach to Privacy Privacy Common Criteria OECD Guidelines GLBA Safe Harbor

PrinciplesHIPAA

Notice Openness Notification Notice Notice of Privacy Practices

Collection Collection LimitationPurpose Specification

Information Collection Limitation

Collection Limitation

Marketing and fundraising; Minimum Necessary Rule

Use and Retention Use Limitation Uses Limitation Onward Transfer Minimum Necessary Rule

Choice/Consent Choice Choice Individual Rights,

Security Safeguards Safeguards Security Safeguards

Third Party Disclosures

Accountability Regulatory and Contractual

Contractual Contractual, (Min. Necessary Rule)

Quality Data Quality Integrity Data Integrity Integrity (Security Regs.)

Access Individual Participation

Access/Correction Access Access/Correction

Monitoring and Enforcement

Enforcement Enforcement Enforcement Provisions


Attorn

ey-C

lient P

rivile

ge

Complia

nce P

rogra

m In

tegra

tion

Training & Change Management

IdentifyApplicable

Laws

Risk Analysis and Report

Implementation

Compliance

LegalEvaluation

Protecting Information/Achieving Compliance


Fundamental ProcessFundamental Process Identify assets to be protectedIdentify assets to be protected Conduct risk assessmentConduct risk assessment Identify and select reasonable and Identify and select reasonable and

appropriate controlsappropriate controls Implement controlsImplement controls Training and awarenessTraining and awareness Review (audit) effectiveness and make Review (audit) effectiveness and make

necessary adjustmentsnecessary adjustments


Contact InformationContact Information

Telephone: (202) 251-7600Facsimile: (703) 997.5633Email: [email protected]

M. Peter Adler

2103 Windsor RoadAlexandria, VA 22307

Adler InfoSec & Privacy Group LLC

Adler InfoSec & Privacy Group LLC Unified Approach to Security and Privacy M. Peter Adler JD, LLM,...

Documents

Transcript of Adler InfoSec & Privacy Group LLC Unified Approach to Security and Privacy M. Peter Adler JD, LLM,...