Privacy Breach vs. Security Breach

The Great Lakes InfraGard Conference Securing Our Critical Infrastructures

June 20, 2012

Keith A. Cheresko Principal, Privacy Associates International LLC

2

Purpose

•Explore the sometimes murky and confusing world of data breaches• Shed light on the differences and similarities of privacy and security breaches. • Leave you with a better understanding of the environment in which we all operate • Provide actionable ideas to help prevent breaches and help increase the security for data under our control.

3

Agenda

TerminologyBackgroundGoverning RulesPractical SuggestionsQuestions & (hopefully) Answers

4

Terminology

Personal - “of, relating to, or affecting a particular person: private, individual

<personal ambition> <personal financial gain>” Webster

Personal Information (PI) - data of, relating to, or affecting a particular person

Personally identifiable Information (PII) - data that can be tied to a unique person some of which has obtain

defined legal protection (information relating to an identified or identifiable individual)

5

Background

6

Statistics

As of June 16, Privacy Clearing House database lists:

• 562,242,283 records from 3136 data breaches made public from 2005 to June 2012

• 18,537,734 records in their database from 264 breaches made public so far in 2012

• 6,563,454 records in database from 16 breaches made public in June alone half reporting unknown amounts

7

Statistics

The Verizon 2012 Data Breach Investigations Report indicates:

855 incidents resulting in 174,000,000 compromised records

8

Statistics

The Ponemon Institute’s 2011 Cost of Data Breach Study for US-based companies reports:

$ 194 the average cost per compromised record and$5,500,000 average in organizational costs per event

9

Is a Privacy Breach Different than a Security Breach?

10

Privacy vs. Security

• To answer, first consider the difference between privacy and security• Privacy relates to giving an individual some level of control over his

personally identifiable information (PII)– Definitions of PII vary, which we will discuss later– To give the individual some control, privacy is concerned with matters such

as choice, notice, access, data quality, and security as it relates to PII• Data security is concerned with the safeguarding of all data, not just

PII• Privacy broader than security in one sense, security broader than

privacy in another sense

11

What is a Privacy Breach?

Can relate to two situations:• The unauthorized access to or acquisition of

the kind of PII specified by an applicable law (security of PII)

• The failure to live up to obligations made with respect to non-security related aspects of privacy (notice, choice, access, etc.)

12

What is a Security Breach?The unauthorized access to or acquisition of anything proprietary:

Buildings, facilities other physical plants, Computer equipment Product Inventory Confidential or secret informationTrade secretsIntellectual propertyProprietary items Financial informationData in paper or electronic data Personal information of consumers, employees, etc.Customers lists

13

Should I worry?Virtually any organization handling PI has the potential to experience a breach of data (personal or other type) security. For example, consider the cross section of reported breaches:• Retailers – Michaels Stores, Macy’s St. Louis • Hospitality/food and beverage – Five Guys, Hannaford Bros. • Education Institutions – University of North Florida, University of Virginia• Healthcare Providers – Phoenix Cardiac Surgery, South Shore Hospital, Charlie Norwood V.A. Medical Center, Financial Institutions – • Citi, U.S. Federal Retirement Thrift Saving Plan

14

Who is affected?•Payment Processors – WHMCS, Heartland Payment Systems•Professional Service Providers – Law Firms, Accountants, Auditors•Governmental Entities and Agencies – Office of the Texas Attorney General, City of New Haven, New York State Office of Children and Family Services•Internet Service Providers – LinkedIn, eHarmony, •Utilities •and on and on and on ---

15

Consequences of a breach?Depending on the nature, sensitivity, type and volume of data or other assets compromised it may mean: • Loss of Intellectual property• Possible ID theft • Damage to organization’s reputation• Legal actions – regulatory and consumer• Operating and operational inefficiencies• Increased operating costs • Organization freeze-up/paralysis• Lost business from consumer churn business termination• Adverse impact on market valuation

16

What Are the Governing Rules?

17

U.S. Federal Laws: Privacy and Information Security

• The Federal Trade Commission Act

• The Gramm Leach Bliley Act

• The Health Information Portability and Accountability Act of 1996

• Health Information Technology for Economic and Clinical Health

• Family Education Rights and Privacy Act of 1974

• Driver's Privacy Protection Act of 1994

• Federal Information Security Management Act of 2002

• Fair and Accurate Credit Transactions Act

18

• Electronic Communications Privacy Act

• Telephone Consumers Protection Act of 1991

• Privacy Act of 1974

• Computer Security Act of 1987

• E Government Act of 2002

• Children's Online Privacy Protection Act of 1998

• Children's Internet Protection Act

• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003

• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001

U.S. Federal Laws: Privacy and Information Security

19

FTC and Consumer Data• The FTC is empowered through Section 5 of the Federal Trade

Commission Act to address:– unfair methods of competition in or affecting commerce, and

– unfair or deceptive acts or practices in or affecting commerce

• As noted earlier the failure to live up to one’s own privacy policy may be deemed a deceptive practice leading to a privacy breach.

• Also failing to provide adequate data security may be considered an unfair practice leading to a privacy breach.

20

FTC and Consumer Data• FTC expects organizations to provide physical, technical, and

administrative security for consumer personal information• FTC does not expect maximum available security rather

security should be reasonable and appropriate to:• Organization’s size and complexity • The nature and scope of its activities• Sensitivity of the PI

• Risk assessments should be conducted to determine areas of greatest risk and reasonable safeguards must be implemented in light of those findings.

21

Gramm-Leach-Bliley (GLBA) Financial Data Security: Interagency Guidelines

• Law required agencies to adopt security regulations relating to physical, technical, and administrative safeguards such as the unauthorized access to, or use of, customer information.

• Results - Interagency Guidelines Establishing Standards for Safeguarding Customer Information.

– Require written information security plans. – The plans must assess, manage, and control threats that could result

in unauthorized disclosure of information. – Encourage adoption of measures appropriate to their circumstances

22

FTC Safeguards Rule• Design a program to protect against unauthorized access to, or

use of, customer information that could result in “substantial harm or inconvenience” to customers

• Designate coordinator(s) for the program• Conduct a risk assessment

– identify internal and external risks to customer information and – assess the sufficiency of existing safeguards to control the risks

• Design and implement safeguards to control the identified risks

23

FTC Safeguards Rule

• Regularly test the effectiveness of the safeguards• Oversee service providers

– Select and retain service providers capable of maintaining appropriate safeguards

– Require service providers to implement and maintain safeguards

• Evaluate and adjust the program in light of – regular testing and monitoring, – material changes in business, or – other circumstances that have a material impact on the program

24

Protected Health Information• HIPAA, HITECH and the HIPAA Security Rule establish national

standards for the protection of individuals’ electronic personal health information in the hands of “covered” entities

• HIPAA requires appropriate administrative, physical, and technical safeguards, but includes much more specific mandate under the Security Rule

• HITECH amendments to HIPAA apply the HIPAA Security Rule directly to business associates. HHS can audit business associates for compliance and impose civil and criminal penalties (up to $1.5m) and State AGs can bring separate actions

25

FERPA, DPPAO FISMA and FACTA• Family Education Rights and Privacy Act of 1974 (limits disclosures of

educational records maintained by agencies and institutions that receive federal funding)

• Driver's Privacy Protection Act of 1994 (limits disclosures of personal information in records maintained by state departments of motor vehicles)

• Federal Information Security Management Act of 2002 (requires federal agencies to develop, document and implement agency-wide program to provide information security)

• Fair and Accurate Credit Transactions Act (Red Flag and Data Disposal rules)

26

State General Data Security Safeguards

Generally - • Apply to any person owning or licensing PII relating to

residents of the state• Require business implementation and maintenance of

reasonable security procedures and practices for the protection of PII

• Require appropriate disposal of PII rendering it unreadable or undecipherable

27

State Data Security Laws

• At least 33 states have laws relating to Social Security numbers (SSNs) designed primarily for limiting the use of SSNs

• Five states require implementation of policies to protect SSNs– Connecticut, Michigan, New Mexico, New York, Texas

• Two states have gone farther in specifying required business security practices– Massachusetts and Nevada

28

Massachusetts Rule

• Applies to any person who receives, maintains, processes, or has access to PI about MA residents

• The regulation nominally applies to any entity, anywhere in the world, holding PI relating to a MA resident

• The covered PI is defined as an individual’s name in combination with a SSN, driver’s license number, or financial account number, credit or debit card number (with or without password)

29

Massachusetts Rule Requirements• Performance of Risk Assessments• Development and maintenance of a comprehensive Written Information Security Program

(WISP)• Application of Physical Security controls• Application of Electronic Security controls• Use of Encryption• Selection and Retention of Competent Service Providers• Employee Training• Employee Compliance• Development and maintenance of appropriate policies regarding storage, access, and

transportation of personal information outside business premises• Processes in place preventing terminated employees from accessing personal information• Documenting responses to breach incidents and post-incident reviews

30

Nevada Encryption Law

• Applies to a business that maintains, handles, collects, disseminates, or deals with personal information

• Personal information is defined as an individual’s name in combination with a SSN, driver’s license number, or financial account number

• Must encrypt electronic transmission (other than fax) to a person outside the business’ own secure system

• Must encrypt “data storage devices” when they are moved beyond the logical or physical controls of the business or its data storage contractor

31

Other Considerations

• Specialty state and local requirements• Trade Association undertakings• Payment Card Industry Data Security Standards• Mobile practices• Constantly shifting environment• New uses, applications for data

32

Wait –There’s More

33

Breach Notification Laws• Designed to help enforce security obligations

– In theory helps consumers protect themselves– Provides government authorities enforcement opportunities– Bad PR and breach-associated costs encourage compliance

• Breaches generally triggered by the unauthorized access to, or acquisition of, PI covered by the law

• Other variables affect whether a breach notification law applies such as:– Storage medium involved– Use of data encryption

34

Federal Breach Notification: (GLBA)

Regulations adopted by financial regulators and the FTC pursuant to GLBA include breach notification provisions for unauthorized access to sensitive customer information held by banks and other financial institutions.

35

Federal Breach Notification: HIPAA (HITECH)

• Written notices must be provided within 60 days after discovery of the breach

– Law enforcement delay if notification would impede a criminal investigation or damage national security

– Content requirements

• A covered entity must notify:– HHS of any breach involving more than 500 individuals when it provides

consumer notice– HHS annually of breaches involving fewer than 500 individuals– Prominent media in a state of breaches involving more than 500 residents of

the state

36

Federal Breach Notification: HIPAA (HITECH)

• A Business Associate that discovers a breach must notify the covered entity

• Similar FTC rule for Vendors of personal health records and entities offering products or services through Web site of a vendor of personal health records

37

U.S. State Breach Notification Laws46 states, District of Columbia, Guam, Puerto Rico and the U.S.

Virgin Islands with laws:• PI usually covered: name plus SSN, driver’s license number, bank account

information with PIN, or health information (often with an exception when encrypted), and there are significant state variations of covered PI

• Notice to individuals required in the event of a breach and, in some instances, notice to credit-reporting agencies and/or regulators (e.g., New York Attorney General, New Jersey State Police) also specified

• 18 states impose requirements with respect to the content of the consumer notice

• State Insurance regulators also impose notification requirements on insurance companies

My Head Hurts

39

What does it all mean?

40

The Hits Keep on Coming With These Events Recently in the Headlines

•WHMCS Breach May Be Only Tip of the Trouble•Spokeo to Pay $800,00 to Settle FTC Charges•Myspace Settles FTC Charges it Misled Millions of Users •Lax Security at LinkedIn is Laid Bare•Potential Class Action Targets Emory Healthcare Over Patient Data Breach•ID Theft in Backyard of Texas Attorney General•Massachusetts Levies Fine of $15,000 for Stolen Laptop•HHS Settles Cases with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards•A Six-Figure Credit Breach at Five Guys•Information of U.S. Federal Employees Exposed

•South Shore Hospital to Pay $750,000 to Settle Data Breach Allegations•House Committee to Probe e-Banking Heists

41

What should be done?

42

Privacy and Other Data Security Breaches

An once of prevention is worth a whole lot more and a pound of cureIt is not “a once and done” adventureWhen the going gets tough the tough get goingYammar, yammar, yammar ….

43

Practical Considerations

• Basic requirements for data protection are surprisingly similar, across segments although details do vary

• The concept of technical, physical and administrative security requirements is almost universal

• Requirement to conduct practical risk assessments of requirements and vulnerabilities of the organization is also present in many segments and jurisdictions

• Most laws do not specify technical or physical requirements beyond requiring that they be reasonable, appropriate or adequate

44

Inventory your data/asset

What is it?Where is it?Where is it going?Will it visit third parties?Who needs it to do their work?How is it used?How is it gathered and shared?How is it stored?What is its final resting place?Will it be gone for good?

45

Assess Risks/Threats • Indentify all threats within the realm of possibility to the security of the data or asset. • Consider all sources whether:

– Internal– External– Natural– Man-made– Innocent– Malicious

• Assess the consequences to the organization should the identified threat materialize.• What is the likelihood of the threat/risk materializing? • What mitigations are there to counter the risk or recover if it occurs?

46

Physical MattersPhysical Security includes

•Facility access controls• Locks• Alarms• guards

•Safeguarding hard copy documents with PI• Locking filing cabinets• Clean desk policies

•Securing hardware on which PI is stored• Computers• Mobile devices• Flash drives• Modems

47

Administrative MeasuresAdministrative measures includes rules and training applicable to PI

handling such as:• Ensuring access authorization is only given to individuals with

legitimate purposes • Authentication rules• Rules limiting what data can be stored on portable devices such as

laptops, smart phones, thumb drives and other storage media• Security provisions in supplier contracts• Security training for those with access to PI• On-boarding and termination processes• Policy administration• Policy enforcement through appropriate disciplinary actions

Administrative MeasuresTechnology use policy

• Blogging and social networking, peer to peer file sharing programs, remote access, use of laptops

Security breach notification procedure• How is unauthorized access or acquisition reported?• Who is on the immediate response team?

Confidentiality policy• Does it cover confidential information and personal Information?

• Training• Audit• Office rules – badging, clear desk and screen locks• Processes and teams for security incident management• Downstream controls – contractual and audit controls on data recipients• Officer, Director, and Employee training

49

Typical Requirements• Assign responsibility with accountability to a lead person• Conduct risk assessments • Establish comprehensive written policies and procedures• Train employees• Evaluate and then supervise service providers• Execute contracts with service providers• Provide secure disposal• Audit• Create and implement incident response, record retention, and

disaster recovery plans

50

OrganizationDealing with high-level requirements (“reasonable security”)

• Determining what “reasonable security “ is a team effort• Determination should involve representatives from privacy, IT, legal,

physical security, HR/training, and potentially other functions and advisors

• Work to determine what safeguards are necessary based on the specific vulnerabilities of the particular organization (risk analysis) , the consequences of a breach and general good security practices.

• Documentation critical

51

Be Prepared

Need for breach preparation• Create an incident response team • Create and document response procedures• Communicate regularly • Seek and obtain senior management support and resource

commitment• Arrange for service providers that will be needed to respond• Document, document, document

52

Evaluate Risky Areas

• Collection of information over the Internet and email • Access to sensitive files by employees and independent contractors• Dispersed systems, data; duplication (and more) of data• Access to credit card, health, financial information• Transmission, storage, and disposal of computerized data, including data contained on disks

and hard drives and equipment disposal• Data to be transmitted to any third party• Storage and disposal of paper records• Data center moves/consolidations• Transfer and use by service provider/outsourcing• Mobile computing and employee owned devices• Logging and monitoring (employees, system access, phones/internet/email)

53

Technical Measures

Technical Security relates to the protection of electronic information through methods including:

• Access control: unique user ID, auto logoff, need to know• Monitoring: log-in, movement of ePHI• Audit: who accessed, how and when modified• Encryption: at rest (server, laptop, mobile), in transmission• Authenticating: confirming identity, managing accounts• Firewalls, anti-virus, and anti-spyware protections• Changing default settings and thereafter periodically changing of (non-

default) IDs and passwords for internet facing devices

54

Technical Measures • Basic rules for employees

– Do not email sensitive or special PI– Do not access more than that which is needed– Create and use secure documents– Use passwords

• System deployment and approval processes – what needs to happen before you flip the switch

• Eliminate unnecessary data and keep tabs on what is left

• Monitor and mine event logs

• Ensure essential controls are met: regularly check they remain so

* From Verizon 2012 DBIR pgs 63-66

55

Technical Measures* Hacking: use of stolen credential • Use two factor authentication

• Change passwords on suspicion of theft

• Time of use rules

• IP blacklisting

• Restricting administrative connections

* From Verizon 2012 DBIR pgs 63-66

56

Technical Measures* Malware: Backdoor, command and control

Hacking: Exploitation of backdoor or command and control channel

• Egress filtering

• Use of proxies for outbound traffic

• IP blacklisting

• Host IDS or integrity monitoring

• Restrict user administrative rights

• Personal firewalls,

• DLP tools

• Antivirus, and antispyware tools

• Web browsing policies

* From Verizon 2012 DBIR pgs 63-66

57

Technical Measures*

Physical Tampering• Train employees and customers to look for and detect signs of tampering

and to do so through out the day

• Set up and train staff on a procedure for service technicians including a method to schedule and authenticate technicians and maintenance vendors

• Push vendor for anti-tamper technology/features or only purchase POS and Pin devices with anti-tamper technology

* From Verizon 2012 DBIR pgs 63-66

58

Technical Measures* Keylogger/Form-grabber/spyware• Restrict Administrative rights

• Code signing• Use of live boot CDs

• Onetime passwords

• Anti-virus and anti-spyware• Personal firewalls

• Web content filtering and blacklisting• Egress filtering• Host IDS(HIDS) or integrity monitoring

• Web browsing policies• Security awareness training• Network segmentation

* From 2012 Verizon DBIR pgs 63-66

59

Technical Measures*

Pretexing (Social Engineering) • General security awareness training • Clearly defined policies and procedures

• Train staff to recognize and report suspected pretexting attempts

• Verify suspect requests through trusted methods and channels

• Restrict corporate directories ( and similar sources of information) from public access

* From 2012 Verizon DBIR pgs 63-66

60

Technical Measures* Brute-force attack • Use technical means of enforcing password policies

• Account lockouts

• password throttling

• password cracking tests

• access control lists

• restrict administrative connections

• two factor authentication

• CAPTCHA

* From 2012 Verizon DBIR pgs 63-66

61

Technical Measures* SQL injection• Secure development practices • Input validation• Use of parameterized and/or stored procedures

• Adherence to principles of least privilege for database accounts

• Removal of unnecessary services

• System hardening

• Disable output of data base error messages to the client

• Application vulnerability scanning • Penetration testing

• Web application firewall

* From 2012 Verizon DBIR pgs 63-66

62

Technical Measures*

Unauthorized access via default credentials• Change default credentials (prior to deployment)

• Delete or disable default account• Scan for known default passwords (following deployment)• Password rotation• Inventory of remote administrative services (especially those used by third parties)

• For third parties: contracts (stipulating password requirements)• Consider sharing administrative duties• Scan for know default passwords (for assets supported by third parties)

63

Technical Measures*

Phishing( and endless *ishing variations) • General security awareness training

• Clearly defined policies and procedures

• Policies regarding use of email for administrative functions• Train staff to recognize and report suspected phishing messages

• Configure email clients to render HTML emails as text

• Anti-spam• Email attachment virus checking and filtering

The slides with an asterisk (*) contain the recommendations from the Verizon 2012 Data Breach Investigation Report pages 63-66

*From Verizon 2012 DBIR pgs 63-66

Breach Incident Processing• Assemble the team and dust off the plan• Stop the bleeding• Determine the injury • Involve those with whom prior arrangements were made

as necessary • Notify as required in an appropriate manner • Report to authorities as required • Document actions and reasons for them• Fix the concern• Evaluate and revise as necessary

Breach Incident ProcessingAccording to Regulatory advice in the event of an incident do: • Immediately isolate affected systems to prevent further intrusion loss of data or

other damage• Email traffic may be monitored; Use the telephone or other reasonably secure

means to communicate (VOIP?)• Notify law enforcement • Activate all auditing software if not already activated• Preserve pertinent system logs• Make backup copies of damages or altered files and keep them securely• Identify where affected system resides in network topology• Identify all systems and agencies that connect to affected system• Identify programs and processes that operate on the affected system, impact of the

disruption and max allowable outage time• If necessary make arrangements for continuity of servicesDon’t delete, move or alter files, contact suspected perp., or do forensic analysis

Breach Notification• Internal processes• Training • Policies and practices• Supplier action implications

Others Countries with Privacy/Security Rules

• Argentina• Australia• Austria• Belgium• Brazil (Pending)• Bulgaria• Canada• Chile• China (Pending)• Colombia• Costa Rica

(Pending)• Cyprus

• Czech Republic

• Denmark• Ecuador

(Pending)• Estonia• Finland• France• Germany• Greece• Hong Kong• Hungary• Iceland

Others with Security Rules • India • Irish Republic• Israel• Italy• Japan• Latvia• Lichtenstein• Lithuania• Luxembourg• Malaysia• Netherlands• New Zealand

• Norway• Paraguay• Peru• Philippines (Pending)• Poland• Portugal• Romania• Russia• Serbia• Singapore• Slovakia• Slovenia

Others with Security Rules • South Africa (Pending)• South Korea• Spain• Sweden• Switzerland• Taiwan• Thailand (Pending)

• Tunisia• Turkey (Pending)• UAE (DIFC)• United Kingdom• United States• Uruguay• Vietnam (Pending)

Questions?

Keith A. ChereskoPrivacy Associates International LLC

kcheresko@privassoc.comwww.privassoc.com

(248) 535-2819

Contact Information

Keith A. ChereskoPrivacy Associates International LLC

kcheresko@privassoc.comwww.privassoc.com

(248) 535-2819