roundup of legal developments in cubersecurity privacy law n.
Skip this Video
Loading SlideShow in 5 Seconds..
Roundup of Legal Developments in Cubersecurity & Privacy Law PowerPoint Presentation
Download Presentation
Roundup of Legal Developments in Cubersecurity & Privacy Law

Roundup of Legal Developments in Cubersecurity & Privacy Law

272 Views Download Presentation
Download Presentation

Roundup of Legal Developments in Cubersecurity & Privacy Law

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Educause Security Professionals Conference 2007 Roundup of Legal Developments in Cubersecurity & Privacy Law M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC Interim Director of Privacy and Cybersecurity, Montgomery College, Rockville, MD Adler InfoSec & Privacy Group LLC

  2. Agenda • Overview of Federal Security and Privacy Legislation Relating to Privacy and Security • Developments in security and privacy laws and regulations over the past year • Key agency actions and litigation Adler InfoSec & Privacy Group LLC

  3. Overview of Federal Security and Privacy Legislation Relevant to Higher Education Adler InfoSec & Privacy Group LLC

  4. Key Laws and Regulations, Privacy Federal –HIPAA, GLBA, COPPA • GLBA: Gramm-Leach-Bliley Act, 15 U.S.C. §§6801,6805 Adler InfoSec & Privacy Group LLC

  5. GLBA - Reach • The Securities and Exchange Commission ("SEC"); 65 Fed. Reg. 40362, codified at 17 C.F.R. § 248.30 (SEC) • The National Credit Union Administration (“NCUA”); 12 C.F.R. Parts 716 (privacy) and 748 (security) • Federal Banking Agencies: Interagency Guidelines Establishing Standards for Safeguarding Customer Information; 66 Fed Reg. 8616, codified as follows: • The Office of the Comptroller of the Currency (“OCC”), 12 C.F.R. Part 30 (Treasury) • The Board of Governors of the Federal Reserve System, 12 C.F.R. Parts 208, 211, 225 and 263 • The Federal Deposit Insurance Corp. ("FDIC"), 12 C.F.R. Parts 408 and 364, • The Office of Thrift Supervision ("OTS"); codified at 12 C.F.R. Parts 568 and 570 (security) and 573 (privacy) Adler InfoSec & Privacy Group LLC

  6. GLBA and Higher Education • Most higher education is pulled under GLBA for processing of student loans • GLBA Privacy provisions are met if the institution complies with FERPA • The Security Regulations Do Apply • Standards for Safeguarding Customer Information; Final Rule: 67 Fed. Reg. 36484, codified at 16 C.F.R. Part 314 (“GLBA Safeguards”) Adler InfoSec & Privacy Group LLC

  7. Additional GLBA Provisions • In addition to the imposition of safeguards, these regulations also provide for • Record Disposal: FRCA (as amended by Fair and Accurate Credit Transactions Act of 2003) FACTA) 15 USC §1681 (record disposal) • Breach Notification Rule Adler InfoSec & Privacy Group LLC

  8. Family Education Rights & Privacy Act(FERPA) • Leading federal privacy law for educational institutions. • Imposes confidentiality requirements over student educational records. • Prohibiting institutions from disclosing "personally identifiable education information" such as grades or financial aid information without the student's written permission.  • Provides students with the right to request and review their educational records and to make corrections to those records. • Law applies with equal force to electronic and hardcopy records. Adler InfoSec & Privacy Group LLC

  9. Federal Information Security Act of 2002 FISMA • FISMA: Federal Information Security Act of 2002, 44 U.S.C. §3537 et seq. • Requires compliance with a set of standards federal government information security • Federal Information Processing Standards (FIPS) • NIST Standards • Applies to Federal information System • An information system used or operated by an executive agency, or by another organization on behalf of an executive agency • May be applicable to higher education: • Through government contracts • Also, some federal agencies (labor) are beginning to hold fund recipients to these standards. Department of Education, National Science Foundation and National institutes of Health may do the same: See ECAR Report Page 93. Adler InfoSec & Privacy Group LLC

  10. HIPAA • HIPAA: Health Insurance Portability and Accountability Act, 42 U.S.C. §§ 1320d-2 and 1320d-4 • 45 C.F.R. Parts 160 and 164 • Applies to health care providers, plans and clearinghouses • In higher education will apply to student health services Adler InfoSec & Privacy Group LLC

  11. Sarbanes Oxley • Sarbanes Oxley Act, 15 U.S.C. §§7241 and 7267 (SOX) • Not really relevant to Higher Education, but some institutions desire to become “SOX Compliant” Adler InfoSec & Privacy Group LLC

  12. SOX and Security • Sarbanes Oxley Act, 15 U.S.C. §§7241 and 7267 • COBIT Standard • SOX is "basically silent" on information security, • However Information Security is implicit: • Certification of effectiveness of controls (404) • Annual assessment and report on effectiveness of the controls (302) • The SEC final rules • rules require management to certify that two types of controls have been established and their effectiveness has been assessed • Access Security • Internal Controls Adler InfoSec & Privacy Group LLC

  13. Committee on Sponsoring Organization of the Treadway Commission (COSO) COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance Integrity and Ethical Values Commitment to Competence Board of Directors or Audit Committee Management Philosophy and Operating Style Organizational Structure Assignment of Authority and Responsibility Human Resource Policies and Procedures COBIT (Control Objectives for Information and related Technology) COBIT Security Baseline: Security Policy Security Standards Access and Authentication User Account Management Network Security Monitoring Segregation of Duties Physical Security SOX Standards: COSO and COBIT Adler InfoSec & Privacy Group LLC

  14. EmergingIssues Adler InfoSec & Privacy Group LLC

  15. Communications Assistance for Law Enforcement Act (CALEA) • Aug. 5, 2005, The FCC adopted a final order providing that certain wireline broadband and interconnected Voice over Internet Protocol (VoIP) services be prepared to accommodate law enforcement wiretaps pursuant to the CALEA (as a hybrid between traditional telecommunications carriers and information services) • Privacy groups challenged the commission's ruling in court • June 9, 2006, The U.S. Court of Appeals for the D.C. Circuit ruled that the expansion of a federal law enforcement telecommunications wiretapping law to certain broadband Internet service and VoIP providers is legal (American Council on Educ. v. FCC, D.C. Cir., No. 05-1404, petition denied 6/9/06 Adler InfoSec & Privacy Group LLC

  16. Applicability of CALEA to Private Networks • The FCC’s Order recognized that “private broadband networks or intranets that enable members to communicate with one another and/or to receive information from shared data libraries not available to the general public . . . appear to be private networks for purposes of CALEA,” and thus exempt. • At the same time, however, the Order suggested that the exemption could be lost if such private networks connect to the Internet, as virtually all higher education networks do. The Order stated: “To the extent that . . . private networks are interconnected with a public network, either the PSTN or the Internet, providers of the facilities that support the connection of the private network to the public network are subject to CALEA under the SRP.” • In subsequent meetings and press statements, the FCC declined to elaborate on the meaning of this statement. Adler InfoSec & Privacy Group LLC

  17. Does the Campus Network “Support” the Connection to the Internet? • While the language in the FCC Order is cryptic, the FCC’s court brief sets forth a more workable test: Colleges and universities that “provide their own connection to the Internet” are subject to CALEA (at least with respect to those Internet connection facilities), while institutions that rely on a third party for this connection are exempt. Adler InfoSec & Privacy Group LLC

  18. Does the Campus Network “Support” the Connection to the Internet? • This still leaves some gray areas, but the FCC most likely would conclude that an institution provides its own Internet connection when it constructs, purchases, leases, or otherwise operates fiber optic or other transmission facilities and associated switching equipment that link the campus network to an ISP’s point of presence. Adler InfoSec & Privacy Group LLC

  19. Communications Assistance for Law Enforcement Act (CALEA) - exempt • In contrast, the FCC most likely would conclude that an institution is exempt if it obtains access to the Internet by (1) contracting with an ISP or regional network to pick up Internet traffic from a campus border router, (2) purchasing a private line or other transmission service from a telecommunications carrier on a contractual or tariffed basis (as opposed to leasing dark fiber or other facilities), or (3) relying on some combination of these approaches. • If a campus network is closed (i.e., does not connect to the Internet), it is clearly exempt from CALEA under the private network exemption. • Interconnected networks that support their own Internet connection appear to enjoy a limited exemption if they otherwise qualify as “private.” Specifically, only the gateway equipment itself is subject to CALEA – the Internet portions of a private network remain exempt. Adler InfoSec & Privacy Group LLC

  20. Communications Assistance for Law Enforcement Act (CALEA) deadlines • The CALEA compliance deadline remains May 14, 2007, and applies equally to all facilities-based broadband access providers and interconnected VoIP service providers, with restricted availability of compliance extensions. • Carriers are permitted to meet their CALEA obligations through the services of “Trusted Third Parties (TTP)” including processing requests for intercepts, conducting electronic surveillance, and delivering information to LEAs. However, carriers remain responsible for ensuring the timely delivery of information to the LEA and protecting subscriber privacy, as required by CALEA. Adler InfoSec & Privacy Group LLC

  21. The Federal Rules of Civil Procedure (and most state law) provides the following discovery tools: Depositions Upon Written or Oral Written Questions (Rules 30, 31 and 32) Written Interrogatories (Rule 33) Production of Document or Things (Rule 34) Permission to Enter Upon Land for Inspection and Other Purposes (Rule 34) Physical and Mental Examinations (Rule 35) Requests for Admission (Rule 36) Tools to Ensure or Excuse Discovery Motion to Compel (Rule 37(a)) Sanctions (Rule 37 (b),(c)&(d)) Protective Orders (Rule 26(c)) Discovery Rules “The pretrial devices that can be used by one party to obtain facts and information about another party in order to assist the party’s preparation for trial.” - Blacks Law Dictionary Adler InfoSec & Privacy Group LLC

  22. E-Discovery: 12/2006 • New and amended rules of civil procedure governing the treatment of electronically stored information (ESI) are expected by December of this year. • These Rules are broken into the following categories: • Early attention to electronic discovery issues: Rules 16 and 26(f) • Better management of discovery into ESI that is not reasonably accessible: Rule 26(b)(2) • New provision setting out procedure for assertions of privilege after production: Rule 26(b)(5) • Interrogatories and Requests for Production of ESI: Rules 33 and 34 • Application of sanctions rules pertaining to ESI: Rule 37 Adler InfoSec & Privacy Group LLC

  23. Real ID Act • Real ID Act (H.R. 1268) – Part of a supplemental bill funding wars in Iraq and Afghanistan (Signed May 2005) • Will tighten requirements for identification cards acceptable to the federal government, require proof that an applicant is legally in the country, and require state participation in a national driver's license data sharing program • Tasked the DHS with proposing regulations to implement minimum standards for identification cards acceptable for federal government purposes, such as boarding a domestic airline flight • Requires data exchange between the states and between individual states and the Federal government. • Commercial airline passengers would have to provide the new card or a passport to board a U.S. plane • Amounts to the first step toward creation of a national identification card which raises concerns about ensuring the privacy and security of information being shared Adler InfoSec & Privacy Group LLC

  24. New Laws • Veterans Benefits, Health Care, and Information Technology Act of 2006" (S. 3421). • Requires the VA to adopt rules for notifying veterans in the case of breach of their personal data • Signed December 22, 2006 • Undertaking Spam, Spyware, and Fraud Enforcement Beyond Borders Act" (S. 1608 • Known as the US SAFE WEB Act (S. 1608), authorizes the FTC to share information with foreign agencies that treat consumer fraud and deception as a criminal law enforcement issue. • Signed December 22, 2006 • Telephone Records and Privacy Protection Act of 2006 (HB 4709) • Anti-pretexting law • Signed by the President January 12, 2007 Adler InfoSec & Privacy Group LLC

  25. Pending Federal Notice of Breach Legislation Adler InfoSec & Privacy Group LLC

  26. Federal Efforts – Notice of Security Breach, Senate Senate: • S 495, “Personal Data Privacy and Security Act of 2007” (PDPSA), Leahy Specter Bill. • S. 239, “Notification of Risk to Personal Data Act of 2007” • Both would preempt state law • Differ in terms of safe harbor, exemptions, penalties, notice procedures Adler InfoSec & Privacy Group LLC

  27. Federal Notice of Breach Law Status • Personal Data Privacy and Security Act of 2007 would, among other things, • require organizations to notify consumers of security breaches • mandates the adoption of internal policies to protect personal data. Adler InfoSec & Privacy Group LLC

  28. Leahy-Specter 2007 Security Program • Requires companies that have databases with personal information on more than 10,000 Americans to: • establish and implement data privacy and security programs, and • vet third-party contractors hired to process data. • There are exemptions for companies already subject to data security requirements under Gramm-Leach-Bliley and the Health Information Portability and Accountability Act. Adler InfoSec & Privacy Group LLC

  29. Leahy-Specter 2007 • Personal Data Privacy and Security Act of 2007 would: • Make it a crime to intentionally or willfully hide a security breach; • Provide consumer access and correction rights to information held by commercial data brokers; • Require companies to notify authorities of breaches; • Require government agencies to adopt privacy protection rules when agencies use information from commercial data brokers; and • Require audits of government contracts with commercial data brokers. Adler InfoSec & Privacy Group LLC

  30. Leahy-Specter 2007 Required Notices • Requires notice to law enforcement, consumers and credit reporting agencies when digitized sensitive personal information has been compromised. • The trigger for notice is tied to significant risk of harm with appropriate checks-and-balances to prevent over-notification as well as underreporting. • There are exemptions for national security and law enforcement needs, credit card companies using fraud-prevention techniques or where a breach does not result in a significant risk of harm. Adler InfoSec & Privacy Group LLC

  31. Federal Efforts – Notice of Security Breach, House • The "Data Security Act of 2007" (H.R. 1685), sponsored by second term Rep.Tom Price (R-GA), would require businesses and federal government agencies to notify individuals if their sensitive personal or financial information is compromised through a data security breach. • The "Cyber-Security Enhancement and Consumer Data Protection Act of 2007" (H.R. 836), introduced Feb. 6 by Rep. Lamar Smith (R-TX), ranking member of the Judiciary Committee, and eight other GOP cosponsors, would require notification of federal law enforcement officials of certain data breaches and provide criminal and civil penalties for knowingly concealing such breaches • The "Data Accountability and Trust Act" (H.R. 958), introduced by Reps. Bobby Rush (D-Ill.) and Cliff Stearns (R-FL). • The bill's goal is to curb identity theft. It would require companies to implement data security programs and to notify individuals affected by a data security breach • It would require business to notify individuals if their personal information is compromised in a data breach incident. In addition, businesses would be required to notify the FTC of the breach. Adler InfoSec & Privacy Group LLC

  32. Federal Breaches • Staff report of the Committee on Government Reform, dated October 13, 2006 • Data breach incidents in federal agencies since January 2003 have been more widespread and numerous than previously disclosed • Report found: • All 19 Departments and agencies reported at least one loss of Personally Information (“PI”) since 1/1/03 • Agencies do not always know what has been lost • Physical security of data is essential • Contractors are responsible for many of the reported breaches • Veterans Benefits, Health Care, and Information Technology Act of 2006" (S. 3421). • Requires the VA to adopt rules for notifying veterans in the case of breach of their personal data • Signed December 22, 2006 Adler InfoSec & Privacy Group LLC

  33. State Notice of Breach Legislation Adler InfoSec & Privacy Group LLC

  34. 1st Law on Notice of Security Breach - SB 1386 • Applies to all companies in California or that do business in California • Companies must disclose any security breaches to each affected California customer whose PI has been compromised. • Personal information (notice triggering information) is individual’s first name or first initial, combined with the last name, plus any one of the following identifiers: (1) Social Security number (2) driver’s license number or California Identification Card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to the account. • Failure to comply may result in lawsuits and damages. Adler InfoSec & Privacy Group LLC

  35. Georgia (Ga. Code §10-1-910 et seq. ) Hawaii (Hawaii Rev. Stat. §487N-2 ) Idaho (Id. Code §§28-51-104 to 28-51-107 ) Illinois (815 Ill. Comp. Stat.530/1 et seq. ) Indiana (Ind. Code §24-4.9 ) Kansas (Kansas Stat. 50-7a01, 50-7a02 (2006 S.B. 196, Chapter 149) ) Louisiana (La. Rev. Stat. §51:3071 et seq.) Maine (Me. Rev. Stat. tit. 10 §§1347 et seq. ) Since Then…State Breach Notice Laws Proliferate • Arizona (Ariz. Rev. Stat. §44-7501) • Arkansas (Ark. Code §4-110-101 et seq. ) • California (Cal. Civ. Code §1798.82 ) • Colorado (Col. Rev. Stat. §6-1-716 ) • Connecticut (Conn. Gen Stat.36A-701(b) ) • Delaware (De. Codetit. 6, § 12B-101 et seq.) • Florida (Fla. Stat. §817.5681 ) Adler InfoSec & Privacy Group LLC

  36. Ohio (Ohio Rev. Code §1349.19, §1347 et seq. ) Oklahoma (Okla. Stat. §74-3113.1 ) Pennsylvania (73 Pa. Cons. Stat. § 2303 ) Rhode Island (R.I. Gen. Laws §11-49.2-1 et seq. ) Tennessee (Tenn. Code §47-18-2107 ) Texas (Tex. Bus. & Com. Code §48.001 et seq. ) Utah (Utah Code §13-44-101 et seq. ) Vermont (Vt. Stat. Tit. 9 §2430 et seq. ) Washington (Wash. Rev. Code §19.255.010 ) Wisconsin (Wis.Stat. §895.507 ) Wyoming (SF 53) Michigan (2006 S.B. 309, Public Act 566) Minnesota (Minn. Stat. §325E.61, §609.891 ) Montana (Mont. Code §30-14-1701 et seq. ) Nebraska (Neb. Rev Stat87-801 et. seq. ) Nevada (Nev. Rev. Stat.603A.010 et seq. ) New Hampshire (N.H. RS359-C:19 et seq. ) New Jersey (N.J.Stat.56:8-163 ) New York (N.Y. Bus. Law §899-aa ) North Carolina (N.C. Gen. Stat §75-65 ) North Dakota (N.D. Cent. Code §51-30-01 et seq. ) …and Proliferate! Adler InfoSec & Privacy Group LLC

  37. Alaska (H.B. 31, S.B. 21) Arizona (S.B. 1042) District of Columbia (B16-810) Illinois (H.B. 3743, H.B. 4198, S.B. 209, S.B. 1479, S.B. 1798, S.B. 1899, S.B. 3040) Kentucky (HB 7) Massachusetts (H.B. 4775) Maryland (HB 208, S 194) Mississippi (S.B. 2089) Montana (S.B. 33) New Jersey (A.B. 259, A.B. 2104, A.R. 190, S.R. 51) Oregon (SB 583) South Carolina (H.B. 3035, S.B. 8, SB 453) 2007 Notice of Breach Proposed Legislation Adler InfoSec & Privacy Group LLC

  38. State Breach Notification Laws • Most of the laws require notification if there has been, or there is a reasonable basis to believe that, unauthorized access that compromises personal data has occurred • Some states have some form of harm or risk threshold, under which entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual • Some state laws may require certain security standards, e.g., California, but there may be others. Adler InfoSec & Privacy Group LLC

  39. State Breach Notice Laws • Generally, the State Data Breach laws were modeled on California's S.B. 1386. The laws: • apply only to breaches of unencrypted personal information, and require written notification after a breach is discovered; • at a minimum, define "personal information“ -- as a name, in combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code --the breach of which triggers the need to notify consumers; • give state’s Attorney General enforcement authority; • allow for a delay in notification if a disclosure would compromise a law enforcement investigation, except Illinois; • allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250,000 --Rhode Island, Delaware, Nebraska, Ohio set lower thresholds; and • some provide a “safe harbor” for covered entities that maintain internal data security policies that include breach notification provisions consistent with state law. Adler InfoSec & Privacy Group LLC

  40. 2006 Higher Education Security Breaches Virginia Commonwealth University, 2100 affected “Human error caused the names, Social Security numbers and e-mail addresses of about 2,100 current and former Virginia Commonwealth University students to be available online for eight months, the school says. VCU announced yesterday that it is contacting affected students, but there is no indication that their information has been viewed or used. According to VCU, the personal information of freshmen and graduate engineering students from the fall semester of 1998 through 2005 was unintentionally placed in a folder available on the Internet. VCU said the problem was discovered Tuesday by a student who Googled her name and found personal information. The data became exposed in January when files on a School of Engineering server were moved to an insecure folder.” (, September 1, 2006) Adler InfoSec & Privacy Group LLC

  41. 2006 Higher Education Security Breaches Vermont State Colleges, 20,000 affected “Two unions representing workers in the Vermont State College system want the administration to pay the costs of protecting workers' personal information lost when a laptop computer was stolen. Many employees are worried about what the loss of information such as Social Security numbers, birth dates, home addresses and bank account numbers could mean for them. . . . The laptop was stolen Feb. 28 in Montreal from the car of a Lyndon State College information technology employee. It contained six years worth of personal and financial information of an estimated 20,000 present and former employees and students at all five state colleges.” (Associated Press Newswires, April 9, 2006) Adler InfoSec & Privacy Group LLC

  42. 2006 Higher Education Security Breaches Georgetown University, 41,000 affected “A cyber attack on a Georgetown University computer server that exposed personal information on 41,000 elderly District residents was discovered almost three weeks ago during a routine, internal inspection, a university spokesman said yesterday. . . . The invaded server was used by a researcher to monitor services provided to the elderly for the D.C. Office on Aging. The personal information, including names, birthdates and Social Security numbers, was supplied by about 20 groups that contract with the Office on Aging to serve the elderly.” (The Washington Post, March 5, 2006) Adler InfoSec & Privacy Group LLC

  43. 2006 Higher Education Security Breaches University of South Carolina, 1400 affected “University of South Carolina officials are advising students to watch their credit reports after the Social Security numbers of as many as 1,400 students were mistakenly e-mailed to classmates. A department chairwoman distributing information about summer classes accidentally attached a database file to an e-mail she sent Sunday. The database included students‘ Social Security numbers.” (Associated Press Newswires, April 14, 2006) Adler InfoSec & Privacy Group LLC

  44. 2006 Higher Education Security Breaches University of Texas Austin, 106,000 affected “Whoever hacked into the computer system at the University of Texas at Austin's business school obtained the names and Social Security numbers of 106,000 people, including all faculty and staff, most students and about half the alumni, a UT official said Monday. . . . [Dan] Updegrove said student academic information, alumni personal financial information and credit card information was not exposed.” (Associated Press Newswires, April 24, 2006) Adler InfoSec & Privacy Group LLC

  45. 2007 Higher Education Security Breaches University of Idaho, 331,000 affected Three desktop computers disappeared from the University of Idaho's Advancement Services office containing personal data of alumni, donors, employees and students. While an internal investigation shows that as many as 70,000 SSNs, names and addresses may have been on the harddrive, the school is notifying 331,000 people who may have been exposed. The computers "went missing" over Thanksgiving. Police asked the school to delay notice for investigative purposes. Adler InfoSec & Privacy Group LLC

  46. 2007 Higher Education Security Breaches University of Missouri, 2500 affected A hacker broke into the University of Missouri's Research Board Grant Application System and gained access to the SSNs of at least 1,220 researchers. The passwords for more than 2,500 people may well have been compromised, according to a college spokesperson, which could lead to exposure of information. Adler InfoSec & Privacy Group LLC

  47. 2007 Higher Education Security Breaches Georgia Tech University, 3000 affected An unauthorized access to a Georgia Tech computer may have compromised about 3,000 current and former employees. The stolen info includes names, addresses, SSN, and other sensitive information including about 400 state purchasing card numbers. Adler InfoSec & Privacy Group LLC

  48. From 2005 to 2006 there was 30% increase in average cost of data breach incidents to $183 per lost customer record comprised of: Average Direct Costs - $54 (8% increase) Lost Productivity - $30 per lost record (100% increase) Costs of Keeping Existing and Getting New Clients - $99 per lost record (31% increase). The average total cost of breach to each company was $4.8 million. The reported costs of each breach ranged from $226,000 to $22 million, Total reported costs for all of the breaches was $148 million. Cost of Security Breaches Ponemon Institute Survey - 31 companies that faced data breach incidents in 2006, ranging from loss of 2,500 records to 263,000 records and resulted in a total loss of 815,000 compromised customer records Adler InfoSec & Privacy Group LLC

  49. Security Breach Survey • Other Findings from the Ponemon Survey: • Nearly 30% of the reported breaches involved data lost by contractors, consultants, or other external partners. • Over 90% of the breaches involved the loss of electronic data rather than paper documents. • 35% of the total breach incidents reported Lost or stolen laptop computers. • Only 10% of the reporting companies had an expert, such as a privacy, security or compliance officer, in place to handle breach recovery efforts “2006 Annual Study: Cost of a Data Breach" is available from the Ponemon Institute at Adler InfoSec & Privacy Group LLC

  50. Federal Spyware Legislation Adler InfoSec & Privacy Group LLC