Roundup of legal developments in cubersecurity privacy law l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 71

Roundup of Legal Developments in Cubersecurity & Privacy Law PowerPoint PPT Presentation


  • 139 Views
  • Uploaded on
  • Presentation posted in: General

Educause Security Professionals Conference 2007. Roundup of Legal Developments in Cubersecurity & Privacy Law. M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC Interim Director of Privacy and Cybersecurity, Montgomery College, Rockville, MD. Agenda.

Download Presentation

Roundup of Legal Developments in Cubersecurity & Privacy Law

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Roundup of legal developments in cubersecurity privacy law l.jpg

Educause Security Professionals Conference 2007

Roundup of Legal Developments in Cubersecurity & Privacy Law

M. Peter Adler JD, LLM, CISSP, CIPP

Adler InfoSec & Privacy Group LLC

Interim Director of Privacy and Cybersecurity, Montgomery College, Rockville, MD

Adler InfoSec & Privacy Group LLC


Agenda l.jpg

Agenda

  • Overview of Federal Security and Privacy Legislation Relating to Privacy and Security

  • Developments in security and privacy laws and regulations over the past year

  • Key agency actions and litigation

Adler InfoSec & Privacy Group LLC


Overview of federal security and privacy legislation relevant to higher education l.jpg

Overview of Federal Security and Privacy Legislation Relevant to Higher Education

Adler InfoSec & Privacy Group LLC


Key laws and regulations privacy federal hipaa glba coppa l.jpg

Key Laws and Regulations, Privacy Federal –HIPAA, GLBA, COPPA

  • GLBA: Gramm-Leach-Bliley Act, 15 U.S.C. §§6801,6805

Adler InfoSec & Privacy Group LLC


Glba reach l.jpg

GLBA - Reach

  • The Securities and Exchange Commission ("SEC"); 65 Fed. Reg. 40362, codified at 17 C.F.R. § 248.30 (SEC)

  • The National Credit Union Administration (“NCUA”); 12 C.F.R. Parts 716 (privacy) and 748 (security)

  • Federal Banking Agencies: Interagency Guidelines Establishing Standards for Safeguarding Customer Information; 66 Fed Reg. 8616, codified as follows:

    • The Office of the Comptroller of the Currency (“OCC”), 12 C.F.R. Part 30 (Treasury)

    • The Board of Governors of the Federal Reserve System, 12 C.F.R. Parts 208, 211, 225 and 263

    • The Federal Deposit Insurance Corp. ("FDIC"), 12 C.F.R. Parts 408 and 364,

    • The Office of Thrift Supervision ("OTS"); codified at 12 C.F.R. Parts 568 and 570 (security) and 573 (privacy)

Adler InfoSec & Privacy Group LLC


Glba and higher education l.jpg

GLBA and Higher Education

  • Most higher education is pulled under GLBA for processing of student loans

    • GLBA Privacy provisions are met if the institution complies with FERPA

    • The Security Regulations Do Apply

      • Standards for Safeguarding Customer Information; Final Rule: 67 Fed. Reg. 36484, codified at 16 C.F.R. Part 314 (“GLBA Safeguards”)

Adler InfoSec & Privacy Group LLC


Additional glba provisions l.jpg

Additional GLBA Provisions

  • In addition to the imposition of safeguards, these regulations also provide for

    • Record Disposal: FRCA (as amended by Fair and Accurate Credit Transactions Act of 2003) FACTA) 15 USC §1681 (record disposal)

    • Breach Notification Rule

Adler InfoSec & Privacy Group LLC


Family education rights privacy act ferpa l.jpg

Family Education Rights & Privacy Act(FERPA)

  • Leading federal privacy law for educational institutions.

  • Imposes confidentiality requirements over student educational records.

  • Prohibiting institutions from disclosing "personally identifiable education information" such as grades or financial aid information without the student's written permission. 

  • Provides students with the right to request and review their educational records and to make corrections to those records.

  • Law applies with equal force to electronic and hardcopy records.

Adler InfoSec & Privacy Group LLC


Federal information security act of 2002 fisma l.jpg

Federal Information Security Act of 2002 FISMA

  • FISMA: Federal Information Security Act of 2002, 44 U.S.C. §3537 et seq.

    • Requires compliance with a set of standards federal government information security

      • Federal Information Processing Standards (FIPS)

      • NIST Standards

  • Applies to Federal information System

    • An information system used or operated by an executive agency, or by another organization on behalf of an executive agency

  • May be applicable to higher education:

    • Through government contracts

    • Also, some federal agencies (labor) are beginning to hold fund recipients to these standards. Department of Education, National Science Foundation and National institutes of Health may do the same: See ECAR Report Page 93.

Adler InfoSec & Privacy Group LLC


Hipaa l.jpg

HIPAA

  • HIPAA: Health Insurance Portability and Accountability Act, 42 U.S.C. §§ 1320d-2 and 1320d-4

    • 45 C.F.R. Parts 160 and 164

    • Applies to health care providers, plans and clearinghouses

    • In higher education will apply to student health services

Adler InfoSec & Privacy Group LLC


Sarbanes oxley l.jpg

Sarbanes Oxley

  • Sarbanes Oxley Act, 15 U.S.C. §§7241 and 7267 (SOX)

  • Not really relevant to Higher Education, but some institutions desire to become “SOX Compliant”

Adler InfoSec & Privacy Group LLC


Sox and security l.jpg

SOX and Security

  • Sarbanes Oxley Act, 15 U.S.C. §§7241 and 7267

    • COBIT Standard

  • SOX is "basically silent" on information security,

  • However Information Security is implicit:

    • Certification of effectiveness of controls (404)

    • Annual assessment and report on effectiveness of the controls (302)

  • The SEC final rules

    • rules require management to certify that two types of controls have been established and their effectiveness has been assessed

      • Access Security

      • Internal Controls

  • Adler InfoSec & Privacy Group LLC


    Sox standards coso and cobit l.jpg

    Committee on Sponsoring Organization of the Treadway Commission (COSO)

    COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance

    Integrity and Ethical Values

    Commitment to Competence

    Board of Directors or Audit Committee

    Management Philosophy and Operating Style

    Organizational Structure

    Assignment of Authority and Responsibility

    Human Resource Policies and Procedures

    COBIT (Control Objectives for Information and related Technology)

    COBIT Security Baseline:

    Security Policy

    Security Standards

    Access and Authentication

    User Account Management

    Network Security

    Monitoring

    Segregation of Duties

    Physical Security

    SOX Standards: COSO and COBIT

    Adler InfoSec & Privacy Group LLC


    Emerging issues l.jpg

    EmergingIssues

    Adler InfoSec & Privacy Group LLC


    Communications assistance for law enforcement act calea l.jpg

    Communications Assistance for Law Enforcement Act (CALEA)

    • Aug. 5, 2005, The FCC adopted a final order providing that certain wireline broadband and interconnected Voice over Internet Protocol (VoIP) services be prepared to accommodate law enforcement wiretaps pursuant to the CALEA (as a hybrid between traditional telecommunications carriers and information services)

    • Privacy groups challenged the commission's ruling in court

    • June 9, 2006, The U.S. Court of Appeals for the D.C. Circuit ruled that the expansion of a federal law enforcement telecommunications wiretapping law to certain broadband Internet service and VoIP providers is legal (American Council on Educ. v. FCC, D.C. Cir., No. 05-1404, petition denied 6/9/06

    Adler InfoSec & Privacy Group LLC


    Applicability of calea to private networks l.jpg

    Applicability of CALEA to Private Networks

    • The FCC’s Order recognized that “private broadband networks or intranets that enable members to communicate with one another and/or to receive information from shared data libraries not available to the general public . . . appear to be private networks for purposes of CALEA,” and thus exempt.

    • At the same time, however, the Order suggested that the exemption could be lost if such private networks connect to the Internet, as virtually all higher education networks do. The Order stated: “To the extent that . . . private networks are interconnected with a public network, either the PSTN or the Internet, providers of the facilities that support the connection of the private network to the public network are subject to CALEA under the SRP.”

    • In subsequent meetings and press statements, the FCC declined to elaborate on the meaning of this statement.

    Adler InfoSec & Privacy Group LLC


    Does the campus network support the connection to the internet l.jpg

    Does the Campus Network “Support” the Connection to the Internet?

    • While the language in the FCC Order is cryptic, the FCC’s court brief sets forth a more workable test: Colleges and universities that “provide their own connection to the Internet” are subject to CALEA (at least with respect to those Internet connection facilities), while institutions that rely on a third party for this connection are exempt.

    Adler InfoSec & Privacy Group LLC


    Does the campus network support the connection to the internet18 l.jpg

    Does the Campus Network “Support” the Connection to the Internet?

    • This still leaves some gray areas, but the FCC most likely would conclude that an institution provides its own Internet connection when it constructs, purchases, leases, or otherwise operates fiber optic or other transmission facilities and associated switching equipment that link the campus network to an ISP’s point of presence.

    Adler InfoSec & Privacy Group LLC


    Communications assistance for law enforcement act calea exempt l.jpg

    Communications Assistance for Law Enforcement Act (CALEA) - exempt

    • In contrast, the FCC most likely would conclude that an institution is exempt if it obtains access to the Internet by (1) contracting with an ISP or regional network to pick up Internet traffic from a campus border router, (2) purchasing a private line or other transmission service from a telecommunications carrier on a contractual or tariffed basis (as opposed to leasing dark fiber or other facilities), or (3) relying on some combination of these approaches.

    • If a campus network is closed (i.e., does not connect to the Internet), it is clearly exempt from CALEA under the private network exemption.

    • Interconnected networks that support their own Internet connection appear to enjoy a limited exemption if they otherwise qualify as “private.” Specifically, only the gateway equipment itself is subject to CALEA – the Internet portions of a private network remain exempt.

    Adler InfoSec & Privacy Group LLC


    Communications assistance for law enforcement act calea deadlines l.jpg

    Communications Assistance for Law Enforcement Act (CALEA) deadlines

    • The CALEA compliance deadline remains May 14, 2007, and applies equally to all facilities-based broadband access providers and interconnected VoIP service providers, with restricted availability of compliance extensions.

    • Carriers are permitted to meet their CALEA obligations through the services of “Trusted Third Parties (TTP)” including processing requests for intercepts, conducting electronic surveillance, and delivering information to LEAs. However, carriers remain responsible for ensuring the timely delivery of information to the LEA and protecting subscriber privacy, as required by CALEA.

    Adler InfoSec & Privacy Group LLC


    Discovery rules l.jpg

    The Federal Rules of Civil Procedure (and most state law) provides the following discovery tools:

    Depositions Upon Written or Oral Written Questions (Rules 30, 31 and 32)

    Written Interrogatories (Rule 33)

    Production of Document or Things (Rule 34)

    Permission to Enter Upon Land for Inspection and Other Purposes (Rule 34)

    Physical and Mental Examinations (Rule 35)

    Requests for Admission (Rule 36)

    Tools to Ensure or Excuse Discovery

    Motion to Compel (Rule 37(a))

    Sanctions (Rule 37 (b),(c)&(d))

    Protective Orders (Rule 26(c))

    Discovery Rules

    “The pretrial devices that can be used by one party to obtain facts and information about another party in order to assist the party’s preparation for trial.” - Blacks Law Dictionary

    Adler InfoSec & Privacy Group LLC


    E discovery 12 2006 l.jpg

    E-Discovery: 12/2006

    • New and amended rules of civil procedure governing the treatment of electronically stored information (ESI) are expected by December of this year.

    • These Rules are broken into the following categories:

      • Early attention to electronic discovery issues: Rules 16 and 26(f)

      • Better management of discovery into ESI that is not reasonably accessible: Rule 26(b)(2)

      • New provision setting out procedure for assertions of privilege after production: Rule 26(b)(5)

      • Interrogatories and Requests for Production of ESI: Rules 33 and 34

      • Application of sanctions rules pertaining to ESI: Rule 37

    Adler InfoSec & Privacy Group LLC


    Real id act l.jpg

    Real ID Act

    • Real ID Act (H.R. 1268) – Part of a supplemental bill funding wars in Iraq and Afghanistan (Signed May 2005)

      • Will tighten requirements for identification cards acceptable to the federal government, require proof that an applicant is legally in the country, and require state participation in a national driver's license data sharing program

      • Tasked the DHS with proposing regulations to implement minimum standards for identification cards acceptable for federal government purposes, such as boarding a domestic airline flight

      • Requires data exchange between the states and between individual states and the Federal government.

      • Commercial airline passengers would have to provide the new card or a passport to board a U.S. plane

      • Amounts to the first step toward creation of a national identification card which raises concerns about ensuring the privacy and security of information being shared

    Adler InfoSec & Privacy Group LLC


    New laws l.jpg

    New Laws

    • Veterans Benefits, Health Care, and Information Technology Act of 2006" (S. 3421).

      • Requires the VA to adopt rules for notifying veterans in the case of breach of their personal data

      • Signed December 22, 2006

    • Undertaking Spam, Spyware, and Fraud Enforcement Beyond Borders Act" (S. 1608

      • Known as the US SAFE WEB Act (S. 1608), authorizes the FTC to share information with foreign agencies that treat consumer fraud and deception as a criminal law enforcement issue.

      • Signed December 22, 2006

    • Telephone Records and Privacy Protection Act of 2006 (HB 4709)

      • Anti-pretexting law

      • Signed by the President January 12, 2007

    Adler InfoSec & Privacy Group LLC


    Pending federal notice of breach legislation l.jpg

    Pending Federal Notice of Breach Legislation

    Adler InfoSec & Privacy Group LLC


    Federal efforts notice of security breach senate l.jpg

    Federal Efforts – Notice of Security Breach, Senate

    Senate:

    • S 495, “Personal Data Privacy and Security Act of 2007” (PDPSA), Leahy Specter Bill.

    • S. 239, “Notification of Risk to Personal Data Act of 2007”

      • Both would preempt state law

      • Differ in terms of safe harbor, exemptions, penalties, notice procedures

    Adler InfoSec & Privacy Group LLC


    Federal notice of breach law status l.jpg

    Federal Notice of Breach Law Status

    • Personal Data Privacy and Security Act of 2007 would, among other things,

      • require organizations to notify consumers of security breaches

      • mandates the adoption of internal policies to protect personal data.

    Adler InfoSec & Privacy Group LLC


    Leahy specter 2007 security program l.jpg

    Leahy-Specter 2007 Security Program

    • Requires companies that have databases with personal information on more than 10,000 Americans to:

      • establish and implement data privacy and security programs, and

      • vet third-party contractors hired to process data.

    • There are exemptions for companies already subject to data security requirements under Gramm-Leach-Bliley and the Health Information Portability and Accountability Act.

    Adler InfoSec & Privacy Group LLC


    Leahy specter 2007 l.jpg

    Leahy-Specter 2007

    • Personal Data Privacy and Security Act of 2007 would:

      • Make it a crime to intentionally or willfully hide a security breach;

      • Provide consumer access and correction rights to information held by commercial data brokers;

      • Require companies to notify authorities of breaches;

      • Require government agencies to adopt privacy protection rules when agencies use information from commercial data brokers; and

      • Require audits of government contracts with commercial data brokers.

    Adler InfoSec & Privacy Group LLC


    Leahy specter 2007 required notices l.jpg

    Leahy-Specter 2007 Required Notices

    • Requires notice to law enforcement, consumers and credit reporting agencies when digitized sensitive personal information has been compromised.

    • The trigger for notice is tied to significant risk of harm with appropriate checks-and-balances to prevent over-notification as well as underreporting.

    • There are exemptions for national security and law enforcement needs, credit card companies using fraud-prevention techniques or where a breach does not result in a significant risk of harm.

    Adler InfoSec & Privacy Group LLC


    Federal efforts notice of security breach house l.jpg

    Federal Efforts – Notice of Security Breach, House

    • The "Data Security Act of 2007" (H.R. 1685), sponsored by second term Rep.Tom Price (R-GA), would require businesses and federal government agencies to notify individuals if their sensitive personal or financial information is compromised through a data security breach.

    • The "Cyber-Security Enhancement and Consumer Data Protection Act of 2007" (H.R. 836), introduced Feb. 6 by Rep. Lamar Smith (R-TX), ranking member of the Judiciary Committee, and eight other GOP cosponsors, would require notification of federal law enforcement officials of certain data breaches and provide criminal and civil penalties for knowingly concealing such breaches

    • The "Data Accountability and Trust Act" (H.R. 958), introduced by Reps. Bobby Rush (D-Ill.) and Cliff Stearns (R-FL).

      • The bill's goal is to curb identity theft. It would require companies to implement data security programs and to notify individuals affected by a data security breach

      • It would require business to notify individuals if their personal information is compromised in a data breach incident. In addition, businesses would be required to notify the FTC of the breach.

    Adler InfoSec & Privacy Group LLC


    Federal breaches l.jpg

    Federal Breaches

    • Staff report of the Committee on Government Reform, dated October 13, 2006

      • Data breach incidents in federal agencies since January 2003 have been more widespread and numerous than previously disclosed

    • Report found:

      • All 19 Departments and agencies reported at least one loss of Personally Information (“PI”) since 1/1/03

      • Agencies do not always know what has been lost

      • Physical security of data is essential

      • Contractors are responsible for many of the reported breaches

    • Veterans Benefits, Health Care, and Information Technology Act of 2006" (S. 3421).

      • Requires the VA to adopt rules for notifying veterans in the case of breach of their personal data

      • Signed December 22, 2006

    Adler InfoSec & Privacy Group LLC


    State notice of breach legislation l.jpg

    State Notice of Breach Legislation

    Adler InfoSec & Privacy Group LLC


    1 st law on notice of security breach sb 1386 l.jpg

    1st Law on Notice of Security Breach - SB 1386

    • Applies to all companies in California or that do business in California

    • Companies must disclose any security breaches to each affected California customer whose PI has been compromised.

      • Personal information (notice triggering information) is individual’s first name or first initial, combined with the last name, plus any one of the following identifiers: (1) Social Security number (2) driver’s license number or California Identification Card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to the account.

    • Failure to comply may result in lawsuits and damages.

    Adler InfoSec & Privacy Group LLC


    Since then state breach notice laws proliferate l.jpg

    Georgia (Ga. Code §10-1-910 et seq. )

    Hawaii (Hawaii Rev. Stat. §487N-2 )

    Idaho (Id. Code §§28-51-104 to 28-51-107 )

    Illinois (815 Ill. Comp. Stat.530/1 et seq. )

    Indiana (Ind. Code §24-4.9 )

    Kansas (Kansas Stat. 50-7a01, 50-7a02 (2006 S.B. 196, Chapter 149) )

    Louisiana (La. Rev. Stat. §51:3071 et seq.)

    Maine (Me. Rev. Stat. tit. 10 §§1347 et seq. )

    Since Then…State Breach Notice Laws Proliferate

    • Arizona (Ariz. Rev. Stat. §44-7501)

    • Arkansas (Ark. Code §4-110-101 et seq. )

    • California (Cal. Civ. Code §1798.82 )

    • Colorado (Col. Rev. Stat. §6-1-716 )

    • Connecticut (Conn. Gen Stat.36A-701(b) )

    • Delaware (De. Codetit. 6, § 12B-101 et seq.)

    • Florida (Fla. Stat. §817.5681 )

    Adler InfoSec & Privacy Group LLC


    And proliferate l.jpg

    Ohio (Ohio Rev. Code §1349.19, §1347 et seq. )

    Oklahoma (Okla. Stat. §74-3113.1 )

    Pennsylvania (73 Pa. Cons. Stat. § 2303 )

    Rhode Island (R.I. Gen. Laws §11-49.2-1 et seq. )

    Tennessee (Tenn. Code §47-18-2107 )

    Texas (Tex. Bus. & Com. Code §48.001 et seq. )

    Utah (Utah Code §13-44-101 et seq. )

    Vermont (Vt. Stat. Tit. 9 §2430 et seq. )

    Washington (Wash. Rev. Code §19.255.010 )

    Wisconsin (Wis.Stat. §895.507 )

    Wyoming (SF 53)

    Michigan (2006 S.B. 309, Public Act 566)

    Minnesota (Minn. Stat. §325E.61, §609.891 )

    Montana (Mont. Code §30-14-1701 et seq. )

    Nebraska (Neb. Rev Stat87-801 et. seq. )

    Nevada (Nev. Rev. Stat.603A.010 et seq. )

    New Hampshire (N.H. RS359-C:19 et seq. )

    New Jersey (N.J.Stat.56:8-163 )

    New York (N.Y. Bus. Law §899-aa )

    North Carolina (N.C. Gen. Stat §75-65 )

    North Dakota (N.D. Cent. Code §51-30-01 et seq. )

    …and Proliferate!

    Adler InfoSec & Privacy Group LLC


    2007 notice of breach proposed legislation l.jpg

    Alaska (H.B. 31, S.B. 21)

    Arizona (S.B. 1042)

    District of Columbia (B16-810)

    Illinois (H.B. 3743, H.B. 4198, S.B. 209, S.B. 1479, S.B. 1798, S.B. 1899, S.B. 3040)

    Kentucky (HB 7)

    Massachusetts (H.B. 4775)

    Maryland (HB 208, S 194)

    Mississippi (S.B. 2089)

    Montana (S.B. 33)

    New Jersey (A.B. 259, A.B. 2104, A.R. 190, S.R. 51)

    Oregon (SB 583)

    South Carolina (H.B. 3035, S.B. 8, SB 453)

    2007 Notice of Breach Proposed Legislation

    Adler InfoSec & Privacy Group LLC


    State breach notification laws l.jpg

    State Breach Notification Laws

    • Most of the laws require notification if there has been, or there is a reasonable basis to believe that, unauthorized access that compromises personal data has occurred

    • Some states have some form of harm or risk threshold, under which entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual

    • Some state laws may require certain security standards, e.g., California, but there may be others.

    Adler InfoSec & Privacy Group LLC


    State breach notice laws l.jpg

    State Breach Notice Laws

    • Generally, the State Data Breach laws were modeled on California's S.B. 1386. The laws:

      • apply only to breaches of unencrypted personal information, and require written notification after a breach is discovered;

      • at a minimum, define "personal information“ -- as a name, in combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code --the breach of which triggers the need to notify consumers;

      • give state’s Attorney General enforcement authority;

      • allow for a delay in notification if a disclosure would compromise a law enforcement investigation, except Illinois;

      • allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250,000 --Rhode Island, Delaware, Nebraska, Ohio set lower thresholds; and

      • some provide a “safe harbor” for covered entities that maintain internal data security policies that include breach notification provisions consistent with state law.

    Adler InfoSec & Privacy Group LLC


    2006 higher education security breaches l.jpg

    2006 Higher Education Security Breaches

    Virginia Commonwealth University, 2100 affected

    “Human error caused the names, Social Security numbers and e-mail addresses of about 2,100 current and former Virginia Commonwealth University students to be available online for eight months, the school says. VCU announced yesterday that it is contacting affected students, but there is no indication that their information has been viewed or used. According to VCU, the personal information of freshmen and graduate engineering students from the fall semester of 1998 through 2005 was unintentionally placed in a folder available on the Internet. VCU said the problem was discovered Tuesday by a student who Googled her name and found personal information. The data became exposed in January when files on a School of Engineering server were moved to an insecure folder.” (Timesdispatch.com, September 1, 2006)

    Adler InfoSec & Privacy Group LLC


    2006 higher education security breaches41 l.jpg

    2006 Higher Education Security Breaches

    Vermont State Colleges, 20,000 affected

    “Two unions representing workers in the Vermont State College system want the administration to pay the costs of protecting workers' personal information lost when a laptop computer was stolen. Many employees are worried about what the loss of information such as Social Security numbers, birth dates, home addresses and bank account numbers could mean for them. . . . The laptop was stolen Feb. 28 in Montreal from the car of a Lyndon State College information technology employee. It contained six years worth of personal and financial information of an estimated 20,000 present and former employees and students at all five state colleges.” (Associated Press Newswires, April 9, 2006)

    Adler InfoSec & Privacy Group LLC


    2006 higher education security breaches42 l.jpg

    2006 Higher Education Security Breaches

    Georgetown University, 41,000 affected

    “A cyber attack on a Georgetown University computer server that exposed personal information on 41,000 elderly District residents was discovered almost three weeks ago during a routine, internal inspection, a university spokesman said yesterday. . . . The invaded server was used by a researcher to monitor services provided to the elderly for the D.C. Office on Aging. The personal information, including names, birthdates and Social Security numbers, was supplied by about 20 groups that contract with the Office on Aging to serve the elderly.” (The Washington Post, March 5, 2006)

    Adler InfoSec & Privacy Group LLC


    2006 higher education security breaches43 l.jpg

    2006 Higher Education Security Breaches

    University of South Carolina, 1400 affected

    “University of South Carolina officials are advising students to watch their credit reports after the Social Security numbers of as many as 1,400 students were mistakenly e-mailed to classmates. A department chairwoman distributing information about summer classes accidentally attached a database file to an e-mail she sent Sunday. The database included students‘ Social Security numbers.” (Associated Press Newswires, April 14, 2006)

    Adler InfoSec & Privacy Group LLC


    2006 higher education security breaches44 l.jpg

    2006 Higher Education Security Breaches

    University of Texas Austin, 106,000 affected

    “Whoever hacked into the computer system at the University of Texas at Austin's business school obtained the names and Social Security numbers of 106,000 people, including all faculty and staff, most students and about half the alumni, a UT official said Monday. . . . [Dan] Updegrove said student academic information, alumni personal financial information and credit card information was not exposed.” (Associated Press Newswires, April 24, 2006)

    Adler InfoSec & Privacy Group LLC


    2007 higher education security breaches l.jpg

    2007 Higher Education Security Breaches

    University of Idaho, 331,000 affected

    Three desktop computers disappeared from the University of Idaho's Advancement Services office containing personal data of alumni, donors, employees and students. While an internal investigation shows that as many as 70,000 SSNs, names and addresses may have been on the harddrive, the school is notifying 331,000 people who may have been exposed. The computers "went missing" over Thanksgiving. Police asked the school to delay notice for investigative purposes.

    Adler InfoSec & Privacy Group LLC


    2007 higher education security breaches46 l.jpg

    2007 Higher Education Security Breaches

    University of Missouri, 2500 affected

    A hacker broke into the University of Missouri's Research Board Grant Application System and gained access to the SSNs of at least 1,220 researchers. The passwords for more than 2,500 people may well have been compromised, according to a college spokesperson, which could lead to exposure of information.

    Adler InfoSec & Privacy Group LLC


    2007 higher education security breaches47 l.jpg

    2007 Higher Education Security Breaches

    Georgia Tech University, 3000 affected

    An unauthorized access to a Georgia Tech computer may have compromised about 3,000 current and former employees. The stolen info includes names, addresses, SSN, and other sensitive information including about 400 state purchasing card numbers.

    Adler InfoSec & Privacy Group LLC


    Cost of security breaches l.jpg

    From 2005 to 2006 there was 30% increase in average cost of data breach incidents to $183 per lost customer record comprised of:

    Average Direct Costs - $54 (8% increase)

    Lost Productivity - $30 per lost record (100% increase)

    Costs of Keeping Existing and Getting New Clients - $99 per lost record (31% increase).

    The average total cost of breach to each company was $4.8 million.

    The reported costs of each breach ranged from $226,000 to $22 million,

    Total reported costs for all of the breaches was $148 million.

    Cost of Security Breaches

    Ponemon Institute Survey - 31 companies that faced data breach incidents in 2006, ranging from loss of 2,500 records to 263,000 records and resulted in a total loss of 815,000 compromised customer records

    Adler InfoSec & Privacy Group LLC


    Security breach survey l.jpg

    Security Breach Survey

    • Other Findings from the Ponemon Survey:

      • Nearly 30% of the reported breaches involved data lost by contractors, consultants, or other external partners.

      • Over 90% of the breaches involved the loss of electronic data rather than paper documents.

      • 35% of the total breach incidents reported Lost or stolen laptop computers.

      • Only 10% of the reporting companies had an expert, such as a privacy, security or compliance officer, in place to handle breach recovery efforts

        “2006 Annual Study: Cost of a Data Breach" is available from

        the Ponemon Institute at [email protected]

    Adler InfoSec & Privacy Group LLC


    Federal spyware legislation l.jpg

    Federal Spyware Legislation

    Adler InfoSec & Privacy Group LLC


    Proposed federal spyware legislation l.jpg

    Proposed Federal Spyware Legislation

    H.R. 964 ("Securely Protect Yourself Against Cyber Trespass Act") (Spy Act) Rep Mary Bono, (formerly H.R.2929; formerly H.R.29)

    • Status: Passed House, May 23, 2005. Reintroduced, February 8, 2007.

    • Prohibits certain specific practices except with user authorization. Requires notice, consent, and uninstall capability for certain information collection and advertising programs. Leaves many key details to the Federal Trade Commission. Grants enforcement power only to the FTC. Preempts existing state laws about spyware.

    Adler InfoSec & Privacy Group LLC


    State spyware and ssn legislation l.jpg

    State Spyware and SSN Legislation

    Adler InfoSec & Privacy Group LLC


    Spyware state laws l.jpg

    Alaska

    S. 140 (Pop-Up Ads)

    Arizona

    HB 2414

    Arkansas

    SB 2904

    California

    SB 1436, SB 92

    Georgia

    SB 127

    Iowa

    HF 614

    Louisiana

    HB 690

    New Hampshire

    Chapter 238

    New York

    A. 891F

    Rhode Island

    HB 6811

    Tennessee

    (SB 2069)

    Texas

    SB 327

    Utah

    HB 104, amending HB 323

    Virginia

    HB 2471

    Washington

    HB 1012

    Spyware – State Laws

    Adler InfoSec & Privacy Group LLC


    Spyware proposed 2007 l.jpg

    Illinois (SB 1199, SB 1495) - proposed (Civil Penalties)

    Maine (LD 1029) – Proposed

    Massachusetts (SD 1800, HD 460)

    Michigan (SB 145) – Proposed (allows private causes of action)

    Missouri (HB 993) - Proposed (Criminalizing)

    Mississippi (SB 2261) – Proposed

    New York (s 3655, S 1459, A 340) - Proposed

    Pennsylvania (HB 755) – Proposed

    Spyware – Proposed 2007

    Adler InfoSec & Privacy Group LLC


    2006 state social security laws l.jpg

    2006 State Social Security Laws

    • Over the last two years the number of states with some sort of SSN restriction law has grown from eight to 25. The following are those that passed over the last year:

      • Pennsylvania - Social Security Number Privacy Act (H.B. 2134), 11/29/06

      • New York, S. 6909C, 9/26/06

      • Hawaii, Social Security number protection bill (Act 137), 5/25/06

      • Minnesota, S.F. 3132, 5/25/06

      • Tennessee, P.A. 06-555, 4/24/06

      • Colorado, H.B. 1156, 3/31/06

      • Wisconsin, A.B. 536, 3/16/06

    Adler InfoSec & Privacy Group LLC


    Typical ssn use prohibitions l.jpg

    Typical SSN Use Prohibitions

    • The Social Security Laws vary widely from state-to-state. Some prohibitions on SSN uses that are common are as follows:

      • public posting of SSN information;

      • use of SSNs on registration and service cards;

      • requiring SSNs for access to Web sites;

      • transmitting SSN data over the Internet;

      • sending mail with visible SSNs;

      • putting SSNs on faxes;

      • using SSNs as an employee ID number;

      • using SSNs as customer account numbers;

      • printing SSNs on pay stubs; and

      • selling SSNs.

    Adler InfoSec & Privacy Group LLC


    Agency actions and litigation l.jpg

    Agency Actions and Litigation

    Adler InfoSec & Privacy Group LLC


    Ftc authority l.jpg

    FTC Authority

    • Section 5 of the FTC Act (“FTCA”) permits the FTC to bring an action to address any unfair or deceptive trade practice that occur in the course of commercial activities

      • Deceptive trade practice is any commercial conduct that includes false or misleading claims or claims that omit material facts

      • Unfair trade practices are commercial conduct that causes substantial injury, without offsetting benefits and that consumers cannot reasonably avoid

    • While this is not relevant to higher education, understanding how these cases are enforced helps to prepare for GLBA enforcement

    Adler InfoSec & Privacy Group LLC


    Ftc authority to investigate l.jpg

    FTC Authority to Investigate

    • FTC has broad authority to investigate and bring actions

    • May work with company to resolve the matter

    • Where a pattern of non-compliance or egregious behaviors are involved, FTC will bring an enforcement action

    • These actions usually result in settlements through consent decrees that include an FTC mandated privacy and security program

    Adler InfoSec & Privacy Group LLC


    Enforcement consent orders ftca l.jpg

    Enforcement/Consent Orders - FTCA

    • Section 5 “Unfair and Deceptive Trade Practices” Violations for Erroneous Representations in Posted Privacy Practices – Consent Orders

      • Eli-Lilly (1/18/02)

        • Information about Prozac users

      • Microsoft (8/8/02)

        • Technology not as secure as claimed, but no security breach uncovered

      • Tower Records (4/21/04)

        • Security flaw in the company’s web site exposing customer’s personal information

      • Guess? (6/18/03)

        • Failed to use reasonable and appropriate measures to protect customer’s personal information

      • Petco Animal Supplies(11/ 11/04)

        • Failed to use reasonable and appropriate measures to protect customer’s personal information

      • Vision I Properties, LLC (3/10/05)

    Adler InfoSec & Privacy Group LLC


    Ftc enforcement security l.jpg

    FTC Enforcement - Security

    • Practices that "threaten data security" under the FTC Act's unfair practices prong:

      • In the matter of BJ’s Wholesale Club, FTC No. 042-3160, 6/16/2005

      • In the Matter of DSW, Inc., FTC, No. 053-3096, 12/1/05

      • In re CardSystems Solutions Inc., FTC, File No. 052 3148, consent order 9/5/06

    Adler InfoSec & Privacy Group LLC


    Limitation of ftc authority l.jpg

    Limitation of FTC Authority

    • FTC:

      • cannot regulate industries that are otherwise regulated (e.g., financial industries, common carriers)

      • Does not apply to non-profits

      • may nevertheless work closely with these other industries

      • may share enforcement authority with other agencies/authorities (e.g., DOJ)

    Adler InfoSec & Privacy Group LLC


    Glba safeguards enforcement l.jpg

    GLBA Safeguards Enforcement

    • Violations of GLBA Safeguards Rule (FTC)

      • In re Sunbelt Lending Services, FTC, File No. 042-3153, 11/16/04)

      • In the Matter of Nationwide Mortgage Group, Inc., and John D. Eubank, FTC File No. 042-3104 4/15/05

      • In re Superior Mortgage Corp.,FTC, File No. 052 3136, 9/28/05

    Adler InfoSec & Privacy Group LLC


    Ftc privacy and security programs in consent decrees l.jpg

    FTC Privacy and Security Programs in Consent Decrees

    • Originally, FTC would bring these actions due to a misrepresentation of privacy and security protections contained in a company’s privacy notice or other document

    • Consent order includes a requirement to establish and maintain a security and privacy program, including:

      • Training and proper oversight of employees and agents

      • Identification of reasonably foreseeable risks

      • Design and implementation of reasonable and appropriate safeguards

      • Regular evaluation of the program

    Adler InfoSec & Privacy Group LLC


    Ftc privacy and security programs in consent decrees cont l.jpg

    FTC Privacy and Security Programs in Consent Decrees (cont.)

    • An obligation to have the privacy and security program reviewed annually by an independent qualified third party (i.e., CISSP or other qualified party)

    • A requirement to provide certain documents related to the representations made about the company’s programs and compliance upon request by the FTC

    • An obligation to notify the FTC of any change which may affect the company’s compliance

    • A final written report of compliance upon request by the FTC

    Adler InfoSec & Privacy Group LLC


    Sb 1386 litigation l.jpg

    SB 1386 Litigation

    • Parke v. CardSystems Solutions Inc., Cal. Super. Ct., No. CGC-05-442624.

      • Class Action continues in 2006, despite settlement with FTC

      • Status Conference February 3

      • Status Conference March 7

      • Basis of Claim

        • Defendants negligent in permitting CardSystems to process credit card transactions when they knew or should have known that the company failed to comply with Credit Card Industry Data Security Standards (PCIDSS).

        • Separate VISA and MasterCard data security standards formed the basis for that common set of data protection standards

    Adler InfoSec & Privacy Group LLC


    Civil suits for security privacy breaches l.jpg

    Civil Suits for Security/Privacy Breaches

    • Lambert v. Hartmann, No. 1:04cv837 (S.D. Ohio Dec. 29, 2006)

      • Plaintiff claimed constitutional right of privacy when SSN was published on the Web

      • The court held SSN are not constitutionally protected against publication on the Web .

      • The plaintiff's claimed damages are merely financial and the constitutional right of privacy is not implicated.

    Adler InfoSec & Privacy Group LLC


    Civil suits for security privacy breaches68 l.jpg

    Civil Suits for Security/Privacy Breaches

    • Guin v. Brazos Higher Educ. Serv. Corp. Inc., No. 05-668 (D. Minn. Feb. 2,2006)

    • loan company lost Plaintiff's laptop that included his financial data in unencrypted form.

    • The court held

      • that heightened risk of identity theft was insufficient to win a negligence action

      • that there was no duty to encrypt data under the Gramm-Leach-Bliley Act, so no negligence when an employee took unencrypted data home on a laptop.

      • The court determined that the employer had a data protection policy in place, and that it followed it even though the data was lost.

    Adler InfoSec & Privacy Group LLC


    Civil suits for security privacy breaches69 l.jpg

    Civil Suits for Security/Privacy Breaches

    • Key v. DSW Inc., 454 F. Supp. 2d 684 (D. Ohio 2006); Bell v. Acxiom Corp., No. 4:06CV00458-WRW (E.D. Ark. Oct. 3, 2006)

      • In both the court cited Guin for the proposition that a mere fear of identity theft is not a sufficient injury to support a negligence action or to create standing to sue in federal court.

    Adler InfoSec & Privacy Group LLC


    Civil suits for security privacy breaches70 l.jpg

    Civil Suits for Security/Privacy Breaches

    • CollegeNET Inc. v. XAP Corp., 442 F. Supp. 2d 1070 (D. Ore. 2006)

      • In a dispute between competing online marketers,

      • Court held that the defendant was engaged in unfair competition when it collected names of prospects through the use of a deceptive opt-in/opt-out policy and instructed jury that it is possible to put a monetary value on personal information

      • A jury later concluded that the plaintiff's damages were $4.5 million.

    Adler InfoSec & Privacy Group LLC


    Contact information l.jpg

    Contact Information

    M. Peter Adler

    AIPG

    Adler InfoSec & Privacy Group LLC

    2103 Windsor Road

    Alexandria, VA 22307

    Telephone: (202) 251-7600

    Facsimile: (703) 997.5633

    Email: [email protected]

    Adler InfoSec & Privacy Group LLC


  • Login