In-House Counsel’s Top Concern: Does Our Company’s Data Security

Measure Up?

By John P. Hutchins

Troutman Sanders LLPApril 17, 2013

What Is In-House Counsel’s Top Concern?

• More than half say they Data Security– Inhousecounsel.com, December 2012

• “Data thieves “honing in on” the “retail bullseye”– Fox Business, February 2013

• Retail accounted for 45% of total breaches in ‘12– 15% year over year increase from 2011

Retailer Breach Examples

• Barnes & Noble - 2011– Hackers attack PIN Pad Mobile Devices at POS

– 63 stores

– Steal Card and PIN data

• Zappos – 2012– 24 million customers

– names, billing addresses, phone numbers, truncated credit card numbers and “cryptographically scrambled” passwords

Retailer Breach Examples

• Subway and other unnamed retailers– Card data of 80,000 customers– Millions of dollars in unauthorized purchases from 2008

to May 2011– Hackers, all 20-something Romanian nationals,

infiltrated more than 200 U.S.-based merchants’ point-of-sale systems after scanning the Internet for vulnerable POS systems

Retailer Breaches Common

• What Can Be Done?• Develop Information Security Program• Including regular Security Audits

Some Laws Requiring Information Security Program

• Old Regime – Only Case Law

• Case law recognizes a cause of action for public disclosure of private facts.

• Prove three prongs: (1) facts were publicly disclosed, (2) the facts disclosed were private facts, (3) the disclosure would offend a reasonable person of ordinary sensibilities.

• New regime – Statutory Framework.

• Information Security Breach Laws Immediate notice when customer information may have been breached.

Mass Reg 201 – Requirement of “Information Security Program”

• 2008• It is a legal obligation• It is a defense to liability• It is (or will soon be) contractually required by

your business partners• It actually helps improve data security

8

Nothing New Under the Sun

• GLB security regulations (Fed, OTC, FDIC, OCC) – 2001• GLB security regulations (FTC) – 2002• FTC enforcement actions – 2002–present• HIPAA security regulations (HHS) – 2003 (and recent

amendments)• Oregon (as a safe harbor) – 2007• AG enforcement actions and developing case law• Argentina, Austria, EU Data Protection Directive, Iceland, Italy,

Netherlands, Norway, Philippines, Poland, Portugal, Spain

9

What is a Security “Program?”

• A security “policy” is NOT a security “program”– An e-mail policy, a password policy, or any

other policy is not, by itself, a security program

• Security “controls” are NOT a security “program”– Firewalls, virus detection software, encryption

capabilities, and other security controls do not, by themselves constitute a security program

• Compliant program may include all of the above

Where Do I Start?

• Start with the concept that security is relative– E.g., the security needed for launching nuclear missiles is different

than the security needed for running a retail operation• Then, assume –

– You have had a security breach, – You have been sued in a class action, and– You are on the witness stand, being grilled by the plaintiff’s

attorney about “why” you did, or did not, implement particular security controls

• Consider – How you answer those questions, and– What documentation you have to back up those answers!

Who Can I Get to Help?

• It requires an interdisciplinary effort between --– Security professionals – Lawyers

• Neither can do the whole project without the other• Typically it should be either –

– A two-stage project (security analysis followed by legal analysis)

– A joint lawyer / security professional project

12

Building a Comprehensive Security Program

• It must be in writing– “If it’s not in writing, it doesn’t exist”

• It must be risk-based• It consists of –

– A process of risk assessment and evaluation, and – Implementation of appropriate security controls

13

Basic Requirements

• Understand the Data• Risk assessment

– Evaluate risks and vulnerabilities in context of company’s environment

• Risk mitigation– Implement reasonable and appropriate security controls

to protect against reasonably anticipated threats or hazards to security of data

14

Risk Assessment

• Risk assessment is the foundational element in the process of achieving compliance

• Law does not prescribe a specific risk assessment methodology– Numerous methods of performing a risk

analysis – no single method or “best practice” guarantees compliance

• Outcome is a critical factor in assessing whether a security control is reasonable.

Risk Assessment = Audit

• Start with Understanding Your Data– What Do We Collect?– How (where and by whom) do we collect it– What do we do with it?

Risk Assessment = Audit

• What Do We Collect?– cc data, name, address (including zip?), telephone, email

address, purchase history, promotional history

• How (where and by whom) do we collect it– POS, e-commerce website, loyalty card program– Handheld or other mobile devices, PIN pads, registers,

third party service providers

• What do we do with it?– Marketing, sharing with third parties?– Storage (how long), disposal

Sample Questions

• Is the data entered into an electronic storage system?  – If so, what system is it entered into?

• Who manages that system? Retailer or an outside vendor?

Sample Questions

• What use is made of the data?• How long is the data stored?

– What data retention plans are in place with regard to assuring that the data is kept only as long as it is needed

– If customers “opt-in” by filling out a paper card, are they ever later given the right to “opt-out?”

• How is this implemented?

Sample Questions

• What administrative, physical and technical security safeguards are in place to protect the data that is electronically stored? For instance:– How is access controlled? 

• Is access limited by password?

• Is remote access possible?

• Are passwords extinguished once an employee with access is terminated?

– What is the process for this?

Sample Questions

• With regard to credit card transactions– Do we collect zip codes? Is that ok in the states where

we do business?–  Is the card number truncated automatically at the time

the card is swiped?  – Is the full card number stored anywhere, even

temporarily?– Is there a time limit on how long is the card data (name

and truncated card number) is maintained?

Sample Questions

• What administrative, physical and technical security safeguards are in place to protect the

data that is electronically stored? For instance:– How is access controlled? 

• Is access limited by password?

• Is remote access possible?

• Are passwords extinguished once an employee with access is terminated?

– What is the process for this?

Sample Questions

• What is the security infrastructure for the system(s) where this data is stored?– Is the data stored in one place or is it duplicated to

more than one system?– Is it stored onsite or hosted in a data center?

• Do third parties have physical access to our space?

• Is there technical security promised by the data center at the point of interconnection?

– What’s the disaster prevention and recovery environment?

Vender Assessment

• Assessment of Vendors is Part of an Overall Information Security Program– Is Your E-Commerce Vendor PCI Compliant?– Do Your Outside Vendors use any other particular

standard by which they measure their security?• ISO 27001

• SOC 1, 2 or 3 (formerly SAS 70/SSA SSA 16)

24

Assess the Threat

• Threat – anything with potential to cause harm – Human threats – e.g., hackers, dishonest

employees– Environmental threats – e.g., fire, power outage,

static electricity– Natural threats – e.g., flood, earthquake, tornado– Technical threats – e.g., virus, worm, spyware, SQL

injection

Assessment the Threat

• Vulnerability – a flaw or weakness that allows threat to succeed in causing harm

• Impact – extent of the resulting harm• Risk = likelihood that a threat will exploit a

vulnerability and cause harm

26

Elements of a Risk Assessment

• Define the scope of the effort – systems, processes, data

• Identity the threats• Identify the vulnerabilities (flaws or

weaknesses)• Assess current security measures• Determine likelihood of threat exploiting a

vulnerability• Determine potential impact of threat

occurrences

27

Elements of a Risk Assessment

• Determine level of risk – likelihood and magnitude balanced against existing controls

• Recommend controls to reduce risk to acceptable level

• Document the risk analysisSee NIST sp800-30

28

Some Risk Assessment Sources• Risk Management Guide for Information

Technology Systems; NIST Special Publication 800-30, – http://csrc.nist.gov/publications/nistpubs/800-30/

sp800-30.pdf

• HIPAA Security Standards: Guidance on Risk Analysis; Office for Civil Rights (OCR), Draft, May 7, 2010– www.hhs.gov/ocr/privacy/hipaa/administrative/

securityrule/radraftguidance.pdf

• Risk Assessment Standard: ISO/IEC 27001:2005 

29

Risk Mitigation – Security Controls

• Types of controls– Physical– Technical– Administrative

• Focus of controls– Preventive– Detective– Responsive

30

Common Legally-Required“Categories” of Security Controls• Physical controls

– Facility and equipment– Media

• Technical controls– Access controls– Identification and authentication– System configuration and change management– System and information integrity– Data communications protection– Maintenance– System activity monitoring

• Administrative Controls– Personnel security– Employee awareness and training– Backup and disaster planning– Incident response planning

31

Beware of Non-Risk-Based Controls:

A New Trend? • There are some state law exceptions to risk-

based controls• Examples include --

– Encryption – CA, MA, MD, NV, etc.– Firewalls – MA– Virus software – MA– Patch management – MA

• Important to address these legal requirements as well

32

Evaluation and Assessment

• Continually monitor the effectiveness of the program

• Include training as critical aspect of program

• Regularly review, reassess, and adjust the program

John P. Hutchinsjohn.hutchins@troutmansanders.com

(404) 885-3460

John represents businesses in all types of commercial litigation, and also in various types of transactions involving information technology, intellectual property and privacy and data security. He leads the firm’s Information Management Team. John's 20 years of litigation

experience runs the gamut in subject matter, from eminent domain, to vintage race cars, to death penalty habeas corpus, but he has particular expertise in cases involving computer hardware and

software development projects, government procurement, protection of trade secrets and proprietary business information, the Internet and e-commerce, privacy and data security, cloud computing, trademark and copyright infringement, restrictive covenants and breach of fiduciary

duty.