1 / 27

Unified Approach to Security and Privacy

Privacy in the Electronic Realm April 18, 2006. Unified Approach to Security and Privacy. M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC. Agenda. Problem: Sectoral/State Approach to Security and Privacy Statement of the Problem US Federal Laws and Intended Sectors

andrew
Download Presentation

Unified Approach to Security and Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Privacy in the Electronic Realm April 18, 2006 Unified Approach to Security and Privacy M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC Adler InfoSec & Privacy Group LLC

  2. Agenda • Problem: Sectoral/State Approach to Security and Privacy • Statement of the Problem • US Federal Laws and Intended Sectors • State Laws and Intended Sectors • Private Contractual Standards and Intended Sectors • Solution: Unified Approach to Security and Privacy Compliance Adler InfoSec & Privacy Group LLC

  3. US Sectoral Approach Has Led to Numerous Laws and Regulations HIPAA GLBA FTC State Law Sarbanes Oxley (SOX) US Safe Harbor • Other Important Factors • The Payment Card Industry Data Security Standard • International Standards (e.g., NIST and ISO 17799) • Infrastructure Protection • Identify Theft Prevention • Corporate Governance and Reporting Adler InfoSec & Privacy Group LLC

  4. …Have Created a “Silo Approach” to Compliance Adler InfoSec & Privacy Group LLC

  5. GLBA Consultants HIPAA Consultants Int’l Consultants State Law Consultants The Silo Problem: • Multiple Compliance Efforts • Costs more money • Multiple consultants each offering expertise in specific areas (e.g., HIPAA, GLBA, EU Data Directive, California Law) • So multiple efforts are undertaken when essentially a single effort would suffice • Undermine overall compliance effectiveness • Redundancy, inconsistency, lack of centralized oversight Adler InfoSec & Privacy Group LLC

  6. A Unified Approach to Compliance Compliance Other FTC Safe Harbor GLBA Int’l Law HIPAA International Operations A Unified Approach addresses all of the regulatory regimes with one comprehensive approach to look at applicable security, privacy and other regulatory requirements. Adler InfoSec & Privacy Group LLC

  7. Administrative Security Procedures, Legal Compliance Technical Security HIPAA COMPLIANCE Business Associate Management Physical Security HIPAA Requirements/Security To guard the confidentiality, integrity and availability (CIA) of health information

  8. FTC Authority to Investigate • FTC has broad authority to investigate and bring actions • May work with company to resolve the matter • Where a pattern of non-compliance or egregious behaviors are involved FTC will bring an enforcement action • These actions usually result in settlements through consent decrees that include an FTC mandated security and privacy program Adler InfoSec & Privacy Group LLC

  9. Limitation of Authority • FTC cannot regulate industry that are otherwise regulated (e.g., financial industries, common carriers) • FTC may nevertheless work closely with these other industries • FTC may share enforcement authority with other agencies/authorities Adler InfoSec & Privacy Group LLC

  10. FTC Security and Privacy Consent Decrees • A prohibition or misrepresentation of security and privacy program protections • Fines • A requirement to establish and maintain a security program, including • Training and proper oversight of employees and agents • Identification of reasonably foreseeable risks • Design and implementation of reasonable and appropriate safeguards • Regular evaluation of the program Adler InfoSec & Privacy Group LLC

  11. FTC Security and Privacy Consent Decrees (cont.) • An Obligation to have the security and privacy program reviewed annually by an independent qualified third party • A requirement to provide certain documents related to the representations made about the company’s programs and compliance upon request by the FTC • An Obligation to notify the FTC of any change which may affect the company’s compliance • A final written report of compliance upon request by the FTC Adler InfoSec & Privacy Group LLC

  12. Previous FTC Actions resulting in Security or Privacy Programs • Section 5 Violations for Erroneous Representations in Posted Privacy Practices • FTC alleged the companies involved promised they would take reasonable steps to protect consumers' sensitive information, but failed to do so • Eli-Lilly (January 18, 2002) • Information about Prozac users • Microsoft (Aug 8, 2002) • Technology not as secure as claimed, but no security breach uncovered • Tower Records (April 21, 2004) • Security flaw in the company’s web site exposing customer’s personal information • Guess? (June 18, 2003) • Failed to use reasonable and appropriate measures to protect customer’s personal information • Petco Animal Supplies Inc.(November 11, 2004) • Failed to use reasonable and appropriate measures to protect customer’s personal information • United States of America vs. Choicepoint, Inc., 1 06-CV-0198, Dist Ct, Northern District of Georgia (Other counts under FRCA/FACTA were also included) Adler InfoSec & Privacy Group LLC

  13. FTC Complaints and Actions in the Last Year • Failure to provide reasonable and appropriate security for PI • In the Matter of Vision I Props. LLC, FTC, No. 042-3068, 3/10/2005 • In the Matter of DSW, Inc., FTC, No. 053-3096, 3/14/2005 • In the matter of BJ’s Wholesale Club, FTC No. 042-3160, 9/23/2005 • Violations of GLBA Safeguards Rule (FTC) • In re Sunbelt Lending Services, FTC, File No. 042-3153, 11/16/04) • In the Matter of Nationwide Mortgage Group, Inc., and John D. Eubank, FTC File No. 042-3104 4/15/05 • In re Superior Mortgage Corp.,FTC, File No. 052 3136, 9/28/05 • Spyware • FTC v. Odysseus Mktg. Inc., D.N.H., 1:05-cv-00330-SM, (Complaint 9/21/05). • The FTC claimed that since September 2003, Odysseus Marketing Inc. and its principal, Walter Rines, have advertised software that purportedly would allow consumers to engage in anonymous peer-to-peer file sharing. The agency argued the claims were false and misleading Adler InfoSec & Privacy Group LLC

  14. State Breach Notice Laws • The State Breach Notice Laws, generally: • apply only to breaches of unencrypted personal information, and require written notification after a breach is discovered; • at a minimum, define "personal information"--the breach of which triggers the need to notify consumers--as a name in combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code; • give their state attorneys general enforcement authority; • except Illinois, allow for a delay in notification if a disclosure would compromise a law enforcement investigation; • allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250,000--Rhode Island and Delaware set lower thresholds; and • provide a safe harbor for covered entities that maintain internal data security policies that include breach notification provisions consistent with state law. Adler InfoSec & Privacy Group LLC

  15. State Breach Notification Laws • Most of the laws require notification if there has been, or there is a reasonable basis to believe that, unauthorized access that compromises personal data has occurred. • However, as noted in materials, nine states have some form of harm or risk threshold, under which entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual Adler InfoSec & Privacy Group LLC

  16. California Passed 1st Law on Notice of Security Breach - SB 1386 • Applies to all companies in California or that do business in California • Companies must disclose any security breaches to each affected California customer whose Personal Information has been compromised. • Personal information (notice triggering information) is individual’s first name or first initial, combined with the last name, plus any one of the following identifiers: (1) Social Security number, (2) driver’s license number or California Identification Card number or (3) account number, credit or debit card number, in combination with any required security code, access codeor password that would permit access to the account. • Failure to comply may result in lawsuits and damages. Adler InfoSec & Privacy Group LLC

  17. Arkansas (SB 1167) California (SB 1386) Connecticut (SB 650) Delaware (HB 116) Florida (HB 481) Georgia (SB 230) Illinois (SB 1633) Indiana (SB 503, HB 1101) Louisiana (SB 205) Maine (LD 1671) Minnesota (HF 2121, HF 225) Montana (HB 732) Nevada (SB 347, AB 334) New Hampshire (HB 1660) New Jersey (A 4001) New York (SB 347) North Carolina (SB 1048) Ohio (Subst. HB 104) North Dakota (SB 2251) Rhode Island (H 6191) Tennessee (SB 2220) Texas (SB 122) Utah (SB 69) Washington (SB 6043) Wisconsin (SB 164) Since Then…State Breach Notice Laws Proliferate Adler InfoSec & Privacy Group LLC

  18. Federal Efforts – Notice of Security Breach • Over 24 laws introduced in the past two years, e.g., • Data Accountability and Trust Act (DATA) (HR 4127) (“reasonable risk”) • (HR 3997) (no state Attorneys General auth) • All would preempt state law • Differ in terms of safe harbor, exemptions, penalties, notice procedures Adler InfoSec & Privacy Group LLC

  19. SB 1386 Litigation • Parke v. CardSystems Solutions Inc., Cal. Super. Ct., No. CGC-05-442624. • June 17 discovery that hackers broke into a CardSystems computer system that held private financial data on more than 40 million credit cards issued by MasterCard and other major credit card companies • Class action filed June 27 allege that MasterCard, Visa International and CardSystems failed to protect consumers' privacy rights and notify consumers in a timely manner of the breach • Complaint was amended July 6 to add a prayer for damages, as well as allegations of negligence and alleged violations of California Civil Code Section 1798.82, popularly known as S.B. 1386 • Show cause order issued 8/1/05 why preliminary injunction should not be granted to force CardSystems to provide notice to all Californians Adler InfoSec & Privacy Group LLC

  20. California raises the Bar: AB 1950 New Information Security Standard • Signed into law on September 29, 2004. • Creates an information security standard for non-medical and non-financial entities that have personal information about their customers • Exemption financial institutions, or entities governed by HIPAA privacy rules • Does not define what "reasonable security measures" are other than "procedures and practices appropriate to the nature of information to protect the personal information from unauthorized access, destruction, use, modification or disclosure • Covers "personal information" that is, a name, Social Security number, driver's license number, and California identification number and account, credit, or debit card numbers in combination with passwords, security, or access codes. • Medical information is also covered by the law, and is defined as "any individually identifiable information, in electronic or physical form, regarding the individual's medical history or medical treatment or diagnosis by a health care professional. Adler InfoSec & Privacy Group LLC

  21. Security and Privacy Compliance Plan Overview of the “Unified Approach” Adler InfoSec & Privacy Group LLC

  22. Unified Approach To Security Adler InfoSec & Privacy Group LLC

  23. Unified Approach to Security Adler InfoSec & Privacy Group LLC

  24. Unified Approach to Privacy Adler InfoSec & Privacy Group LLC

  25. Attorney-Client Privilege Compliance Program Integration Protecting Information/Achieving Compliance Legal Evaluation Compliance Implementation Risk Analysis and Report Identify Applicable Laws Training & Change Management Adler InfoSec & Privacy Group LLC

  26. Fundamental Process • Identify assets to be protected • Conduct risk assessment • Identify and select reasonable and appropriate controls • Implement controls • Training and awareness • Review (audit) effectiveness and make necessary adjustments Adler InfoSec & Privacy Group LLC

  27. Contact Information M. Peter Adler Adler InfoSec & Privacy Group LLC Telephone: (202) 251-7600 Facsimile: (703) 997.5633 Email: adler@adleripg.com 2103 Windsor Road Alexandria, VA 22307 Adler InfoSec & Privacy Group LLC

More Related