'

Data Breach Notification Laws Time for a Pimp Slap

Понравилась презентация – покажи это...





Слайд 0

Data Breach Notification Laws Time for a Pimp Slap 10/21/2011 Steve Werby Chief Information Security Officer University of Texas at San Antonio


Слайд 1

Pimp slap A powerful, backhanded slap to the face


Слайд 2

@stevewerby Favorite color: Cadet blue Hobby: Stalking divorcees under age 25 Favorite number: 6.0221415 ? 10^23 Pet’s name: Cujo Favorite movie: Santa with Muscles Last 4 of my SSN: 6497 Place of birth: Delta City


Слайд 3

Infosec since ’99 - ran 2 IT consultancies ’99-’04 Analyst at a university Infosec since ’99 - ran 2 IT consultancies ’99-’04 Analyst at a university, CISO at state agency @stevewerby Infosec since ’99 - ran 2 IT consultancies ’99-’04 Analyst at a university, CISO at state agency, CISO at a university Infosec since ’99 - ran 2 IT consultancies ’99-’04 Analyst at a university, CISO at state agency, CISO at a university^2


Слайд 4

Today’s menu Incidents I was involved in Data breach notification laws - what and why Issues Alternatives to achieve desired goal


Слайд 5

Definitions Exposed Made accessible to unauthorized person Breached / compromised Access gained by unauthorized person Misused Used by authorized person for unauthorized purpose Potential Possible != actual


Слайд 6

Getting to know you Received a data breach notification? Been involved in handling one? Investigated the incident that led to it? Participated in decision about whether to notify? Identified contact information? Wrote notification content? Handled notification logistics? Answered calls from affected individuals? Caused an incident that led to a notification?


Слайд 7

Example exposures…maybe Data sanitization vendor’s driver sold laptops Medical provider’s computers stolen Grade processing system stolen Personal info exposed to unauthorized employees Web hosting provider’s password DB compromised Data sanitization vendor’s driver sold laptops Medical provider’s computers stolen Grade processing system stolen Personal info exposed to unauthorized employees Web hosting provider’s password DB compromised


Слайд 8

$ Sony - $10s of millions Those I’ve been involved in – 5-6 figures


Слайд 9

3rd-party forensic analysis - $222,000 Legal consultant - $100,000 Communications consultant - $50,000 Notification and credit protection - $3,700,000 Reputational damage - ? Employee time - ? $ 12/15/2010 Ohio State exposure of 760,000 individuals names, DOBs, SSNs


Слайд 10

2 recent examples TRICARE Stanford Hospital


Слайд 11

Tip of the iceberg Only a tiny fraction of data exposures are disclosed


Слайд 12

In the beginning Enacted in 2002, effective in 2003 Limited to data related to financial identity fraud


Слайд 13

Motivation Perception that breaches of electronic data involving personally identifiable information was increasing


Слайд 14

Increase in electronic breaches? Actual increase not verifiable Doesn’t consider growth in electronic data storage Substantial % of identity fraud not due to electronic data Remote system accessibility & portable storage increase Breach stats combine actual and potential Has led to a cycle => More/broader/improved laws => more reporting => more individual awareness & more media coverage => improved security resources, processes, posture => more breaches discovered => more/broader/improved laws


Слайд 15

Rationale Provides necessary information for affected individuals to make informed decisions to mitigate impact Negative consequences associated with disclosure will result in improved security practices


Слайд 16

Boom goes the dynamite


Слайд 17

Types of harm Death and physical harm Financial loss Loss of $, loss of property, property damage Credit score damage Financial identity fraud Account takeover Account creation Social harm Loss of job, damage to professional opportunities Relationships, embarrassment


Слайд 18

AYCE notification Death and physical harm Murderers, violent offenders, mentally unstable People with contagious disease, speeders, drunk drivers Financial loss Robbery, burglary, vandalism (robber, burglar, vandal) Fraud, customer complaints, charlatans Social harm Insecure Wi-Fi APs, people who own binoculars Provides necessary information for at risk individuals to make informed decisions to mitigate impact Negative consequences associated with disclosure will result in reduction in risk


Слайд 19

Data breach notification laws Federal laws Health records – HITECH Act (via HHS and FTC) Financial records – GLBA, FTC Safeguards Rule Education records – FERPA Federal agencies’ records – FISMA, OMB, VA State+ laws 46 states (MA+NC cover paper) DC + Puerto Rico + Virgin Islands International Europe Japan And more


Слайд 20

Data breach notification laws


Слайд 21

Data breach laws - future Federal laws Existing laws are in flux Overarching national law could be coming State+ laws Scope and other details changing Alabama, Kentucky, New Mexico, South Dakota Texas healthcare, California beefing theirs up International Europe considering expanding beyond telecom Canada Taiwan


Слайд 22

Components Who the law applies to Types of data covered State/format of data covered What constitutes a breach Disclosure obligations Non-compliance ramifications Exceptions


Слайд 23

Who the law applies to Entity || individual May specify type Conducts biz in state || Maintains data of residents of state || Resulted in or may result in a type of harm to a resident of the state


Слайд 24

Types of data covered (First name || first initial) && last name + (SSN || DL || unique government ID) || ((Financial account # || CC # || debit card #) && (Security code || password)) || (Medical info || health insurance info)


Слайд 25

State/format of data covered Electronic In some cases paper too Unencrypted || Encrypted, but key breached || Not redacted or altered SSN <5, DL last 4


Слайд 26

What constitutes a breach Unauthorized access and acquisition that compromises security || confidentiality || integrity of a record Sometimes must be 2+ records


Слайд 27

Disclosure obligations - who Notify affected individual || the affected owner/licensee Notify Office of Attorney General Notify consumer reporting agencies


Слайд 28

Disclosure obligations - when Without reasonable delay Sometimes immediately || within specific timeframe Can delay to determine scope && restore system integrity && if LEA advises disclosure will impede investigation or national security


Слайд 29

Disclosure obligations - method Written notice Email notice if email address is valid && individual permits communication via email Telephone Media || email || org’s website if cost > defined threshold || # of recipients > defined threshold || contact info is unreliable or unknown || can’t identify affected individuals


Слайд 30

Disclosure obligations - detail General incident overview Type of personally identifiable information Steps that will be taken to protect further unauthorized access Contact phone number (if one exists) Advice to review account information and free credit reports


Слайд 31

Non-compliance ramifications Attorney general may bring action to Obtain actual damages Seek civil penalty for willful and knowing violation of notification requirements Federal agencies can sanction orgs Mandate controls Mandate audits Affected individual can seek to recover direct economic damages But not $ for the time they put into doing so


Слайд 32

Exceptions Notification not required if affected individuals unlikely to experience fraud as a result of incident Some types of organization/sectors excluded


Слайд 33

Data breach notification laws


Слайд 34

Issues – scope Not comprehensive enough Mostly electronic – 30% of reported breaches involve paper; some reports indicate most breaches involve paper What about spoken word…and smoke signals? Focus almost entirely on financial identity fraud Excessive notification Only 3% of those notified of a breach experience identity fraud as a result Leads to ignoring, considering all the same, failure to take action


Слайд 35

Issues – ambiguity Reasonable Without reasonable delay Likely May result in harm Likely to result in harm Validity of contact information Must other states’ laws be adhered to?


Слайд 36

Issues – difficulty complying Inconsistencies Follow each state’s requirement or adhere to the state’s requirement that’s limiting Incompatibilities LEA allows for delay in notification, but another state doesn’t allow for that Individual / small org vs. large org


Слайд 37

Issues – inequitable treatment Single incident could result in Notification not required for some individuals Some individuals provided different information Some individuals less likely to receive notification


Слайд 38

Issues – miscellaneous Ways of identifying a person are myopic Username, email address, phone number Don’t always know residency of individual Residency information not collected Residency information could be stale Phone # portability


Слайд 39

Issues – incentives Avoidance $ < notification $ + notification impact $?


Слайд 40

Issues - rationale reality Provides necessary information for affected individuals to make informed decisions to mitigate impact Information overload – useless information Many actions should be taken regularly anyway Account review, credit report review Some actions can’t be taken Can’t get issued new SSN or stop doing biz with gov Risk is overblown – impact likelihood / liability


Слайд 41

Issues - rationale reality Many incidents are people failures Affected individuals’ memories are short Orgs’ efforts like Iridium-192 Orgs’ efforts sub-optimized Proof’s in the pudding Negative consequences associated with disclosure will result in improved security practices


Слайд 42

Pimp slap


Слайд 43

Alternatives


Слайд 44

Plan 1 Play Angry Birds and just don’t sweat it


Слайд 45

Plan 2 Fine violators $100 billion


Слайд 46

Plan 3 Make all information public


Слайд 47

Alternatives – the elements Focus on preventing unauthorized access Focus on preventing misuse of data Encourage individual behavior Improve breach notification laws


Слайд 48

Prevent unauthorized access Mandate or encourage Limiting access to unauthorized personnel Limiting use to authorized purposes Protection and transmission of data Risk management Educate authorized personnel Increase personnel’s accountability


Слайд 49

Prevent misuse of data Focus on preventing misuse of data Make it more difficult to access financial accounts Make it more difficult to create financial accounts Make it more difficult to access any accounts Increase penalties for data theft and misuse


Слайд 50

Encourage individual behavior Preventive Use unique passwords everywhere Use unique usernames (I don’t eat my own dog food) Protect your email account – keys to the kingdom Protect the personal information you control Detective Check financial accounts routinely Check credit reports routinely


Слайд 51

Improve breach notification laws Increase scope beyond financial fraud risk Oh, Canada! And include all types of orgs Increase consistency in state laws Risk-based approach Likelihood of access, likelihood of misuse, potential impact, org’s ability to mitigate, compensating controls, affected individual’s ability to mitigate Compliance status – infosec program, risk-based approach Sanction status Leave up to org? Or scoring system


Слайд 52

Improve breach notification laws Consistent reporting format Increase information that’s shared Reduce PR speak Clearly describe risk Clearly describe recommended actions


Слайд 53

Improve breach notification laws Tiered notification Tier 1 – track internally, make available for audit, notify internal personnel Tier 2 – notify national authority and internal personnel Tier 3 – notify affected individuals Notification methods To affected individual – base on org’s size National database – public and private views


Слайд 54

Questions and discussion ?


Слайд 55

Contact me <myfirstname>@<mylastname>.com @stevewerby 3 blocks from 29.431057° N, 98.490522° W


×

HTML:





Ссылка: