Unified approach to security and privacy
Download
1 / 27

Unified Approach to Security and Privacy - PowerPoint PPT Presentation


  • 240 Views
  • Updated On :

Privacy in the Electronic Realm April 18, 2006. Unified Approach to Security and Privacy. M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC. Agenda. Problem: Sectoral/State Approach to Security and Privacy Statement of the Problem US Federal Laws and Intended Sectors

Related searches for Unified Approach to Security and Privacy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Unified Approach to Security and Privacy' - andrew


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Unified approach to security and privacy l.jpg

Privacy in the Electronic Realm

April 18, 2006

Unified Approach to Security and Privacy

M. Peter Adler JD, LLM, CISSP, CIPP

Adler InfoSec & Privacy Group LLC

Adler InfoSec & Privacy Group LLC


Agenda l.jpg
Agenda

  • Problem: Sectoral/State Approach to Security and Privacy

    • Statement of the Problem

    • US Federal Laws and Intended Sectors

    • State Laws and Intended Sectors

    • Private Contractual Standards and Intended Sectors

  • Solution: Unified Approach to Security and Privacy Compliance

Adler InfoSec & Privacy Group LLC


Us sectoral approach has led to numerous laws and regulations l.jpg
US Sectoral Approach Has Led to Numerous Laws and Regulations

HIPAA

GLBA

FTC

State

Law

Sarbanes

Oxley

(SOX)

US Safe

Harbor

  • Other Important Factors

    • The Payment Card Industry Data Security Standard

    • International Standards (e.g., NIST and ISO 17799)

    • Infrastructure Protection

    • Identify Theft Prevention

    • Corporate Governance and Reporting

Adler InfoSec & Privacy Group LLC


Have created a silo approach to compliance l.jpg
…Have Created a “Silo Approach” to Compliance Regulations

Adler InfoSec & Privacy Group LLC


The silo problem l.jpg

GLBA Consultants Regulations

HIPAA Consultants

Int’l Consultants

State Law Consultants

The Silo Problem:

  • Multiple Compliance Efforts

    • Costs more money

      • Multiple consultants each offering expertise in specific areas (e.g., HIPAA, GLBA, EU Data Directive, California Law)

      • So multiple efforts are undertaken when essentially a single effort would suffice

    • Undermine overall compliance effectiveness

      • Redundancy, inconsistency, lack of centralized oversight

Adler InfoSec & Privacy Group LLC


A unified approach to compliance l.jpg
A Unified Approach to Compliance Regulations

Compliance

Other

FTC

Safe

Harbor

GLBA

Int’l

Law

HIPAA

International

Operations

A Unified Approach addresses all of the regulatory regimes with one comprehensive approach to look at applicable security, privacy and other regulatory requirements.

Adler InfoSec & Privacy Group LLC


Hipaa requirements security l.jpg

Administrative Regulations

Security

Procedures,

Legal Compliance

Technical

Security

HIPAA COMPLIANCE

Business Associate Management

Physical

Security

HIPAA Requirements/Security

To guard the confidentiality, integrity and availability (CIA) of health information


Ftc authority to investigate l.jpg
FTC Authority to Investigate Regulations

  • FTC has broad authority to investigate and bring actions

  • May work with company to resolve the matter

  • Where a pattern of non-compliance or egregious behaviors are involved FTC will bring an enforcement action

  • These actions usually result in settlements through consent decrees that include an FTC mandated security and privacy program

Adler InfoSec & Privacy Group LLC


Limitation of authority l.jpg
Limitation of Authority Regulations

  • FTC cannot regulate industry that are otherwise regulated (e.g., financial industries, common carriers)

  • FTC may nevertheless work closely with these other industries

  • FTC may share enforcement authority with other agencies/authorities

Adler InfoSec & Privacy Group LLC


Ftc security and privacy consent decrees l.jpg
FTC Security and Privacy Consent Decrees Regulations

  • A prohibition or misrepresentation of security and privacy program protections

  • Fines

  • A requirement to establish and maintain a security program, including

    • Training and proper oversight of employees and agents

    • Identification of reasonably foreseeable risks

    • Design and implementation of reasonable and appropriate safeguards

    • Regular evaluation of the program

Adler InfoSec & Privacy Group LLC


Ftc security and privacy consent decrees cont l.jpg
FTC Security and Privacy Consent Decrees (cont.) Regulations

  • An Obligation to have the security and privacy program reviewed annually by an independent qualified third party

  • A requirement to provide certain documents related to the representations made about the company’s programs and compliance upon request by the FTC

  • An Obligation to notify the FTC of any change which may affect the company’s compliance

  • A final written report of compliance upon request by the FTC

Adler InfoSec & Privacy Group LLC


Previous ftc actions resulting in security or privacy programs l.jpg
Previous FTC Actions resulting in Security or Privacy Programs

  • Section 5 Violations for Erroneous Representations in Posted Privacy Practices

  • FTC alleged the companies involved promised they would take reasonable steps to protect consumers' sensitive information, but failed to do so

    • Eli-Lilly (January 18, 2002)

      • Information about Prozac users

    • Microsoft (Aug 8, 2002)

      • Technology not as secure as claimed, but no security breach uncovered

    • Tower Records (April 21, 2004)

      • Security flaw in the company’s web site exposing customer’s personal information

    • Guess? (June 18, 2003)

      • Failed to use reasonable and appropriate measures to protect customer’s personal information

    • Petco Animal Supplies Inc.(November 11, 2004)

      • Failed to use reasonable and appropriate measures to protect customer’s personal information

    • United States of America vs. Choicepoint, Inc., 1 06-CV-0198, Dist Ct, Northern District of Georgia (Other counts under FRCA/FACTA were also included)

Adler InfoSec & Privacy Group LLC


Ftc complaints and actions in the last year l.jpg
FTC Complaints and Actions in the Last Year Programs

  • Failure to provide reasonable and appropriate security for PI

    • In the Matter of Vision I Props. LLC, FTC, No. 042-3068, 3/10/2005

    • In the Matter of DSW, Inc., FTC, No. 053-3096, 3/14/2005

    • In the matter of BJ’s Wholesale Club, FTC No. 042-3160, 9/23/2005

  • Violations of GLBA Safeguards Rule (FTC)

    • In re Sunbelt Lending Services, FTC, File No. 042-3153, 11/16/04)

    • In the Matter of Nationwide Mortgage Group, Inc., and John D. Eubank, FTC File No. 042-3104 4/15/05

    • In re Superior Mortgage Corp.,FTC, File No. 052 3136, 9/28/05

  • Spyware

    • FTC v. Odysseus Mktg. Inc., D.N.H., 1:05-cv-00330-SM, (Complaint 9/21/05).

      • The FTC claimed that since September 2003, Odysseus Marketing Inc. and its principal, Walter Rines, have advertised software that purportedly would allow consumers to engage in anonymous peer-to-peer file sharing. The agency argued the claims were false and misleading

Adler InfoSec & Privacy Group LLC


State breach notice laws l.jpg
State Breach Notice Laws Programs

  • The State Breach Notice Laws, generally:

    • apply only to breaches of unencrypted personal information, and require written notification after a breach is discovered;

    • at a minimum, define "personal information"--the breach of which triggers the need to notify consumers--as a name in combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code;

    • give their state attorneys general enforcement authority;

    • except Illinois, allow for a delay in notification if a disclosure would compromise a law enforcement investigation;

    • allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250,000--Rhode Island and Delaware set lower thresholds; and

    • provide a safe harbor for covered entities that maintain internal data security policies that include breach notification provisions consistent with state law.

Adler InfoSec & Privacy Group LLC


State breach notification laws l.jpg
State Breach Notification Laws Programs

  • Most of the laws require notification if there has been, or there is a reasonable basis to believe that, unauthorized access that compromises personal data has occurred.

  • However, as noted in materials, nine states have some form of harm or risk threshold, under which entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual

Adler InfoSec & Privacy Group LLC


California passed 1 st law on notice of security breach sb 1386 l.jpg
California Passed 1 Programsst Law on Notice of Security Breach - SB 1386

  • Applies to all companies in California or that do business in California

  • Companies must disclose any security breaches to each affected California customer whose Personal Information has been compromised.

    • Personal information (notice triggering information) is individual’s first name or first initial, combined with the last name, plus any one of the following identifiers: (1) Social Security number, (2) driver’s license number or California Identification Card number or (3) account number, credit or debit card number, in combination with any required security code, access codeor password that would permit access to the account.

  • Failure to comply may result in lawsuits and damages.

Adler InfoSec & Privacy Group LLC


Since then state breach notice laws proliferate l.jpg

Arkansas (SB 1167) Programs

California (SB 1386)

Connecticut (SB 650)

Delaware (HB 116)

Florida (HB 481)

Georgia (SB 230)

Illinois (SB 1633)

Indiana (SB 503, HB 1101)

Louisiana (SB 205)

Maine (LD 1671)

Minnesota (HF 2121, HF 225)

Montana (HB 732)

Nevada (SB 347, AB 334)

New Hampshire (HB 1660)

New Jersey (A 4001)

New York (SB 347)

North Carolina (SB 1048)

Ohio (Subst. HB 104)

North Dakota (SB 2251)

Rhode Island (H 6191)

Tennessee (SB 2220)

Texas (SB 122)

Utah (SB 69)

Washington (SB 6043)

Wisconsin (SB 164)

Since Then…State Breach Notice Laws Proliferate

Adler InfoSec & Privacy Group LLC


Federal efforts notice of security breach l.jpg
Federal Efforts – Notice of Security Breach Programs

  • Over 24 laws introduced in the past two years, e.g.,

    • Data Accountability and Trust Act (DATA) (HR 4127) (“reasonable risk”)

    • (HR 3997) (no state Attorneys General auth)

  • All would preempt state law

  • Differ in terms of safe harbor, exemptions, penalties, notice procedures

Adler InfoSec & Privacy Group LLC


Sb 1386 litigation l.jpg
SB 1386 Litigation Programs

  • Parke v. CardSystems Solutions Inc., Cal. Super. Ct., No. CGC-05-442624.

    • June 17 discovery that hackers broke into a CardSystems computer system that held private financial data on more than 40 million credit cards issued by MasterCard and other major credit card companies

    • Class action filed June 27 allege that MasterCard, Visa International and CardSystems failed to protect consumers' privacy rights and notify consumers in a timely manner of the breach

    • Complaint was amended July 6 to add a prayer for damages, as well as allegations of negligence and alleged violations of California Civil Code Section 1798.82, popularly known as S.B. 1386

    • Show cause order issued 8/1/05 why preliminary injunction should not be granted to force CardSystems to provide notice to all Californians

Adler InfoSec & Privacy Group LLC


California raises the bar ab 1950 new information security standard l.jpg
California raises the Bar: AB 1950 ProgramsNew Information Security Standard

  • Signed into law on September 29, 2004.

  • Creates an information security standard for non-medical and non-financial entities that have personal information about their customers

    • Exemption financial institutions, or entities governed by HIPAA privacy rules

    • Does not define what "reasonable security measures" are other than "procedures and practices appropriate to the nature of information to protect the personal information from unauthorized access, destruction, use, modification or disclosure

    • Covers "personal information" that is, a name, Social Security number, driver's license number, and California identification number and account, credit, or debit card numbers in combination with passwords, security, or access codes.

      • Medical information is also covered by the law, and is defined as "any individually identifiable information, in electronic or physical form, regarding the individual's medical history or medical treatment or diagnosis by a health care professional.

Adler InfoSec & Privacy Group LLC


Security and privacy compliance plan l.jpg

Security and Privacy Compliance Plan Programs

Overview of the “Unified Approach”

Adler InfoSec & Privacy Group LLC


Unified approach to security l.jpg
Unified Approach To Security Programs

Adler InfoSec & Privacy Group LLC


Unified approach to security23 l.jpg
Unified Approach to Security Programs

Adler InfoSec & Privacy Group LLC


Unified approach to privacy l.jpg
Unified Approach to Privacy Programs

Adler InfoSec & Privacy Group LLC


Slide25 l.jpg

Attorney-C Programslient Privilege

Compliance Program Integration

Protecting Information/Achieving Compliance

Legal

Evaluation

Compliance

Implementation

Risk Analysis

and Report

Identify

Applicable

Laws

Training & Change Management

Adler InfoSec & Privacy Group LLC


Fundamental process l.jpg
Fundamental Process Programs

  • Identify assets to be protected

  • Conduct risk assessment

  • Identify and select reasonable and appropriate controls

  • Implement controls

  • Training and awareness

  • Review (audit) effectiveness and make necessary adjustments

Adler InfoSec & Privacy Group LLC


Contact information l.jpg

Contact Information Programs

M. Peter Adler

Adler InfoSec & Privacy Group LLC

Telephone: (202) 251-7600

Facsimile: (703) 997.5633

Email: [email protected]

2103 Windsor Road

Alexandria, VA 22307

Adler InfoSec & Privacy Group LLC


ad