what to do when your data winds up where it shouldn’t...occ, federal reserve, ots, fdic introduces...
TRANSCRIPT
-
What To Do When Your Data Winds Up pWhere It Shouldn’t
Don M. BlumenthalDefcon 16Defcon 16
Las Vegas, NevadaAugust 9 2008August 9, 2008
© 2008 – Don M. Blumenthal
-
DisclaimerDisclaimer
Opinions expressed are my own andOpinions expressed are my own and intended for informational purposes. They should not be attributed to any y yorganization or used as a substitute for direct legal advice.g
© 2008 – Don M. Blumenthal
-
Questions and more QuestionsQuestions and more Questions
What is PIIWhat is PIIWhat is a Security BreachTo Whom Does the Law ApplyTo Whom Does the Law ApplyWhen and How Is Notice GivenWhom Do I Have to Notify?What Do I Offer?How Do I Plan Ahead?
© 2008 – Don M. Blumenthal
-
PII Definition - AICPA/CICA PII Definition AICPA/CICA
Information related to identified or identifiable individual
Name, Address, Telephone, SS # orOther Govt ID NumbersOther Govt ID NumbersEmployer, Employment HistoryCredit Card Numbers, Credit History, P h Hi tPurchase HistoryPersonal or Family Financial or Medical Information
© 2008 – Don M. Blumenthal
-
PII Also May IncludePII Also May Include
“Sensitive PII”PII Specifying Medical or Health ConditionsRacial or Ethnic OriginP liti l O i iPolitical OpinionsReligious or Philosophical BeliefsTrade Union MembershipTrade Union MembershipSexual Preferences
© 2008 – Don M. Blumenthal
-
Legal Framework Overview
US - Sectoral approach to security and i ith t h k f lprivacy with patchwork of lawsSpecific types of recordsSpecific types of institutionsSpecific types of institutions
EU Model - Societal approachEU member statesEU member statesArgentina, Australia, Canada, Switzerland
Hybrid ModelHybrid ModelJapan, Chile, APEC
No lawNo lawChina, India, Philippines, most of South America
© 2008 – Don M. Blumenthal
-
ScopeScope
Laws concernLaws concern Personal informationPersonally Identifiable InformationPersonally Identifiable InformationSensitive Consumer Information
Don’t forgetNon-consumer data; e g trade secretsNon consumer data; e.g., trade secretsPAPER
© 2008 – Don M. Blumenthal
-
Know Relevant DataSecurity/Privacy Laws
G L h Blil A tGramm-Leach-Bliley ActFair Credit Reporting Act/Fair and A t C dit T ti A tAccurate Credit Transaction ActHealth Insurance Portability and A t bilit A tAccountability ActFamily Educational Rights and Privacy Act
© 2008 – Don M. Blumenthal
-
Know Other Important LawsKnow Other Important Laws
FTC Act Section 5Sarbanes Oxley Act
© 2008 – Don M. Blumenthal
-
Know the RegulatorsKnow the Regulators
GLBA – eight agenciesFCRA/FACTA - FTCSarbanes Oxley – SECyHIPAA - HHSFERPA - DoEFERPA DoE
© 2008 – Don M. Blumenthal
-
Know the RegulationsGLBA – FCRA/FACTA
Safeguards, Privacy, Disposal RulesSafeguards, Privacy, Disposal RulesRed Flag Rule in October, 2008FFIEC guidelines - track GLB Safeguards but set out processes and criteria in more detail
HIPAASecurity and Privacy Rules
SOXSSection 404
© 2008 – Don M. Blumenthal
-
Don’t Forget
International laws and directivesCommon law/private rights of actionPrivate standardsPrivate standards
© 2008 – Don M. Blumenthal
-
Common Law
Private sector privacy issuesTortContracts – explicit or implied data protection
© 2008 – Don M. Blumenthal
-
Standards - examples
PrivateP C d I d Di i l S i S d dPayment Card Industry-Digital Security Standard (PCI-DSS)ISO; e g 27001 27002ISO; e.g., 27001, 27002CoBIT
FederalFISMAFIPS 200NIST 800-53
© 2008 – Don M. Blumenthal
-
But For All of That
Only two explicit sets of national y prequirements exist concerning breach response planning
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information
d C t N tiand Customer NoticeFISMA
N US t tNo non-US government or government alliance has a breach notification requirementrequirement
© 2008 – Don M. Blumenthal
-
Interagency Guidance
Issued by four GLBA agenciesy gOCC, Federal Reserve, OTS, FDICIntroduces yet another definition – Sensitive C I f iConsumer Information
PII or combination of customer information that would allow someone to log onto or access thewould allow someone to log onto or access the customer’s account; e.g., user name and password or password and account number.
© 2008 – Don M. Blumenthal
-
Breach Response under GuidanceBreach Response under Guidance
Must have plan to assess nature &Must have plan to assess nature & scope of incident and identify what PII has been accessed or misusedMust notify primary GLBA regulator and other relevant law enforcementMust notify data owners if breach involves Sensitive Consumer InformationInformation
Describe incident and how handledProvide data protection consumer educationProvide data protection consumer education and services
© 2008 – Don M. Blumenthal
-
FISMAFISMA
Requires procedures for detectingRequires procedures for detecting, reporting, and responding to security incidentsNo requirement of notice to individuals whose information has beenwhose information has been compromisedApplication of FISMA and relatedApplication of FISMA and related guidelines outside of federal agencies is a subject of debatej
© 2008 – Don M. Blumenthal
-
FTC “Protecting Personal Information”FTC Protecting Personal Information
Business education pamphlet/videoBusiness education pamphlet/videoBreach response plan is one element
Have planHave planDesignate coordinatorDisconnect compromised computer fromDisconnect compromised computer from InternetKnow applicable laws and regulationspp gKnow who should be notified, including consumers
© 2008 – Don M. Blumenthal
-
Response Elements
Regulators will look for these itemsRisk based plan, appropriate to size and complexityR th t dd d t d fResponse that addressed nature and scope of incident, including what systems and data compromisedcompromised○ Even if no prior planInform relevant law enforcementContained and controlledNotified affected parties where appropriate
© 2008 – Don M. Blumenthal
-
To Keep Regulators Happy
Be proactiveHave a comprehensive enterprise security plan, including steps to respond t d t ito data compromiseRead cases, regulations, guides, decisions standardsdecisions, standardsDistill and apply to your environmentMust plan to prevent/mitigate dataMust plan to prevent/mitigate data compromise but also to react well if it happenshappens
© 2008 – Don M. Blumenthal
-
Enforcement Factors
RepresentationsPractices to protect and detectReasonablenessDemonstrable harmReaction
© 2008 – Don M. Blumenthal
-
State and Local GovernmentsState and Local Governments
Far ahead in breach notificationFar ahead in breach notificationAs of 04/08:
39 dates39 datesDCNew York CityNew York CityPuerto Rico
© 2008 – Don M. Blumenthal
-
Usual State PII DefinitionFirst and last name OR last name and first initial - plus
Social Security Number ORDrivers’ License Number ORState Identification Number ORState Identification Number OR Debit or Credit Card Number OR +Financial Account Number ORMedical Information ORHealth Insurance Information
Most state notification laws require PIN orMost state notification laws require PIN or access code be disclosed to include account numbers in definition
© 2008 – Don M. Blumenthal
-
Some Common ElementsSome Common Elements
Personally identifiable informationPersonally identifiable informationExemptions if data encrypted
Check encryption definitionypNo exemption if PIN included
Delay notice at LE requesty qFinancial data
A few cover medical alsoAllowable forms of noticeMost have some exemption if company covered by federal law such as GLBA
© 2008 – Don M. Blumenthal
-
Coverage Issues to CheckCoverage Issues to Check
TriggersTriggersAccess; accessed and “used”DisclosedDisclosedLikely/unliked to have been usedHarm likely/unlikelyHarm likely/unlikelyWho makes determination
Whether applies outside jurisdictionWhether applies outside jurisdictionProvisions for third party data holders
© 2008 – Don M. Blumenthal
-
Notification Rules VaryNotification Rules Vary
How much delay is permissibleHow much delay is permissibleWhich state and local agencies to notifyCredit reporting agenciesCredit reporting agenciesMay be thresholds that trigger
i trequirements
© 2008 – Don M. Blumenthal
-
Potential Consequences DifferPotential Consequences Differ
Penalties that can be levied byPenalties that can be levied by governmentPrivate rights of actionPrivate rights of action
© 2008 – Don M. Blumenthal
-
Moving from Law to RealityMoving from Law to Reality
Laws regulations and standardsLaws, regulations, and standards provide solid guidelinesReal world fleshes out for specificReal world fleshes out for specific enterprise and situations
© 2008 – Don M. Blumenthal
-
Breach Risk Management Necessities
Management commitment to privacyManagement commitment to privacy and compliance with laws/regs/etc.Management commitment to maintain gand fund enterprise security and privacy programs Cross-organizational structure with solid communicationsT t d t i iTargeted trainingResponse plan
© 2008 – Don M. Blumenthal
-
Can’t Be Done in VacuumCan t Be Done in Vacuum
Breach response plan must be part ofBreach response plan must be part of overall data security planCoordinate with other informationCoordinate with other information management systemsEnsures comprehensive approachEnsures comprehensive approachHelps make program more efficient and cost effectivecost effective
© 2008 – Don M. Blumenthal
-
To Be Able to React to LossTo Be Able to React to Loss
Know where data isKnow where data isKnow what’s in dataKnow stakeholdersKnow stakeholders
In and outside enterpriseK li f th it dKnow lines of authority and communication in enterpriseD i t t th t ll llDevise structure that allows all necessary stakeholders to coordinate
© 2008 – Don M. Blumenthal
-
Response Plan ElementsResponse Plan Elements
Evidence preservationEvidence preservationInternal crisis communicationsCustomer and other notification; e gCustomer and other notification; e.g., employees and retireesI t d l i tiInvestor and employee communications
© 2008 – Don M. Blumenthal
-
If The Worst Happens
Notify necessary individuals in organizationAccording to existing response plan, of course
Include business, legal, tech, PR, and HR , g , , ,at minimum in response activitiesNotify law enforcementy
Follow LE lead if requestedListen to your in-house subject matterListen to your in house subject matter expertsDocument every step of responseDocument every step of response
© 2008 – Don M. Blumenthal
-
Identify Loss
Lost PII/SCIForm line of business teams if necessaryProvide ongoing legal and businessProvide ongoing legal and business guidance to analysts
Elements of sensitive data under relevant statutesNecessary combinations to invoke PII or SCI
Don’t forget sensitive info that may not have regulatory ramifications; e.g., trade secrets
© 2008 – Don M. Blumenthal
-
Engage Outside Counsel
Unlikely that in-house staff will have ffi i isufficient expertise
Vet your outside counsel choiceDon’t automatically go with usual firmCheck qualifications of lawyers working the matter; “X was with the FTC” doesn’tmatter; X was with the FTC doesn t necessarily mean that “X has GLBA experience”
Engage two organizations if necessary to g g g yhave both security/privacy and litigation experience.
M k th k t thMake sure they work together
© 2008 – Don M. Blumenthal
-
Other Outside Help
ForensicsMay want to cross-check data analysesEspecially if loss involves hardware theft
Crisis management companyConsider hiring organization with experience in g ghandling public aspects○ PR○ Required notifications
Assistance for individuals whose i f ti i dinformation was compromised
© 2008 – Don M. Blumenthal
-
Role of CounselRole of Counsel
Lawyers should be lawyersLawyers should be lawyersBe careful about “good old boy/girl” networknetwork
Don’t necessarily have expertise to choose forensic or other specialistsp
Ask who is doing data review for PIIAre lawyer hourly rates necessaryAre lawyer hourly rates necessary
© 2008 – Don M. Blumenthal
-
Going Above and BeyondGoing Above and Beyond
Do the right thingDo the right thingPublic perception can be everythingData holders may expect notificationData holders may expect notification and other protections even where not requiredrequiredRespond positively to press
© 2008 – Don M. Blumenthal
-
If Regulators Call
Know what the laws requireRelevant security/privacy requirementsNotification statutes, regs, and guidelines
Show respectDon’t play gamesp y g
© 2008 – Don M. Blumenthal
-
Things to Watch - US
Report of the President’s Identify Theft Task ForceLegislation; e.g. extension of GLBA to all entities and federal breach notification lawApplication of FISMA and regs to outside holders of federal government dataFederal Agency Data Protection Act (HR 4791)
Feds must notify victims if data compromisedPassed House 06/03/08
© 2008 – Don M. Blumenthal
-
Things to Watch – Outside US
Proposed EU breach notification for Privacy and Electronic Communication DirectiveCanadian Privacy Commissioner voluntary breach notification guidelines; linked to PIPEDA
© 2008 – Don M. Blumenthal
-
Questions Later?Q
Don M BlumenthalDon M. [email protected](734) 997 0764(734) 997-0764(202) 431-0874 (m)www.donblumenthal.com
© 2008 – Don M. Blumenthal