Secure Times Spring 2010
Upcoming SlideShare
Loading in...5

Secure Times Spring 2010



Analysis of the legal and policy issues around geolocation and location-aware apps and services.

Analysis of the legal and policy issues around geolocation and location-aware apps and services.



Total Views
Views on SlideShare
Embed Views



2 Embeds 7 6 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Secure Times Spring 2010 Secure Times Spring 2010 Document Transcript

  • The Secure Times VOLUME 5, NO. 1 SPRING 2010 NEWSLETTER OF THE SECTION OF ANTITRUST LAW’S PRIVACY AND INFORMATION SECURITY COMMITTEE EDITORS: IN THIS ISSUE Where Are We Headed? Sorting out the Legal and Alysa Zeltzer Hutnik Policy Questions around Location Apps By Saira Nayak . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Mary Ellen Callahan Will Laws That Build Upon PCI-DSS Lead to Greater Security? By Chris Nutt and Frank Nagle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 David B. Esau The New Wave of Privacy and Data Security Considerations Affecting Cross Channel Marketing Carla A. R. Hine by Retailers By Benita Kahn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14The Secure Times is published by theAmerican Bar Association Section of Data Security and Privacy Audits: Steps to ProtectAntitrust Law’s Privacy and Informa- Reportstion Security Committee. The viewsexpressed in The Secure Times are the By Dana Rosenfeld and Kristin Hird . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20authors’ only and not necessarily thoseof the American Bar Association, theSection of Antitrust Law or the Privacyand Information Security Committee. When Does an Organization Have a P2P Problem?If you wish to comment on the contents By Kristin Cohen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23of The Secure Times, please write tothe American Bar Association, Sectionof Antitrust Law, 321 North Clark St., National Data Security Standards: PotentialChicago, IL 60610 Implications of Preemption COPYRIGHT NOTICE John Fedele . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Copyright 2010 American Bar Association.The contents of this publication maynot be reproduced, in whole or in part,without written permission of the ABA.All requests for reprints should be sentto: Director, Copyrights and Contracts, A Word From the Chair:American Bar Association, 321 N. Clark,Chicago, IL 60654, FA X: 312-988-6030, We are pleased to present this latest edition of The Secure Times. This issue has aemail: particular focus on practical considerations associated with business and legal is- sues facing many privacy and data security practitioners – whether as a result of new technology, evolving privacy standards, data security threats, and new legal requirements. Articles include a legal and policy analysis of locational mobile ap- plications; a forensic view of PCI-based laws and whether they are likely to improve S E C T I O N O F security practices; evolving privacy considerations in cross-channel marketing; ANTITRUST LAW privilege considerations with data security and privacy audit reports; P2P risks and
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010remediation strategies; and potential effects of nationalizing their marketing efforts. This article delves into some ofdata security standards. We hope that you find this informa- the legal and policy considerations under laws in the Unit-tion informative and useful. ed States that privacy practitioners may want to consider when counseling companies on the privacy and securityPlease also check out the Privacy and Information Secu- impact of geo-location and location apps. The article alsority Committee’s website, and our online forum, www. discusses the important market developments and, which tracks the latest developments factors that are driving adoption of this important and in-on privacy and security issues, courtesy of our terrific creasingly useful technology.contributors to our monthly privacy updates. Finally, asalways, if you would like to become more involved in our Location Apps: Old Wine in a New BottleCommittee – whether as a speaker, article or blog contrib- Geo-location technology has been in use since 1999 andutor, or in a behind-the-scenes role – please let us know. has a wide range of application. Online retailers andHappy reading. payment processors use it to authenticate users; the tech- nology is also used in electronic tolling systems on bridges,Alysa Z. Hutnik and in the monthly swipe cards you use on public transit systems.4 On your phone, location apps work to identifyWhere Are We Headed? current location using your computer’s IP address or yourSorting out the Legal and Policy smart phone’s GPS chip.Questions around Location Apps Location app development and adoption accelerated withSaira Nayak the introduction of smartphones.5 Industry insiders pointFrom Silicon Valley to Silicon Alley, the mobile web is to the iPhone and Google Maps (an early location app), asbooming with location applications (apps) featuring some of the first examples of geo-location at work. With“geo-location”1 – a type of technology that associates the over 45 million devices sold worldwide, the iPhone con-location of your computer or phone with a physical venue tinues to be a significant factor driving geo-locationsuch as a restaurant or a store.2 This technology allows (and smartphone) adoption worldwide.6 Development ofcompanies to gain valuable real-time information about location-based apps is also active on other smartphonethe marketplace and their customers, while also provid- platforms – such as Google’s Android and Microsoft’s Win-ing users with relevant, location-specific discounts and dows Geo-location is having a truly transformative im- Location apps can be plugged in to existing social mediapact on the online marketing business – because it is able platforms – such as Facebook and Twitter – which allowto bring discounts and promotions directly to the point of third-party developers to integrate geo-location apps intopurchase.3 their service.7 This means that, with little technologi-As “geo-marketing” heats up, so does the need to counsel cal investment, a company can leverage the capabilitiescompanies that are considering use of location apps in of existing platform services – like Facebook – to further 2
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010its marketing strategy. That’s precisely what McDonalds are male or female, etc. Foursquare also allows devel-aimed to do when it “friended” Facebook in a well-pub- opment of compatible applications on its platform. Forlicized marketing deal recently. Working together, the instance, Yipit13 is a Foursquare plug-in that determinescompanies plan to create a location app that will direct the consumer’s best daily deal at shops, retailers andyou to the nearest McDonalds location. The app will also restaurants in his or her area. Because Yipit plugs intoallow users to personalize their location-based Facebook Foursquare, it also lets consumers know if there’s a goodstatus updates with pictures of a favorite McDonald’s in- deal going at one of the places the consumer has previ-dulgence.8 ously checked into using Foursquare’s app. • Pepsi is about to launch Pepsi Loot, which it describesMany other companies are starting to integrate geo-lo- as “the first geo-based iPhone application that has a loy-cation into their loyalty program and marketing efforts alty program associated with it.”14 This location app willthrough innovative location apps that run on a user’s connect users to the ecosystem of over 200,000 restau-smartphone.9 Examples include: rants or “Pop Spots” that serve Pepsi products. With• Macy’s and Best Buy, who are working with Shop- this many locations, Pepsi customers will have plenty kick, a Palo Alto-based start-up, on a mobile app that of opportunities to earn and redeem Loot points for dis- will enhance consumers’ brick-and-mortar shopping counts and other goodies (like exclusive music and video experience by providing “personalized offers, product downloads). Pepsi is also working to integrate its loyalty information and peer advice, as well as guidance on program into Foursquare’s mobile app; Pepsi Loot users which stores have the best offers.” 10 Shopkick was the would get a Foursquare notification when they are close creator of Causeworld, an extremely popular mobile app to a Pepsi Pop Spot. that allows shoppers to redeem “karma points” while These examples illustrate the rich diversity of companies shopping at participating retailers, and then convert (and business models) currently integrating geo-location those points to charitable donations. into their product or market strategy.• The Loopt mobile app11 allows consumers to check-in to various locations (retailers, restaurants), and instantly How Does Current US Law Apply to Location share consumer check-ins with their network. Loopt Apps? also works with retailers to provide coupon offers at the We’ve seen that geo-location is both an exciting techno- point of interest, eliminating the need to coupon clip. logical trend and an important marketing tool – one that• Foursquare12 combines the fun of a game with the util- provides crucial, time-sensitive data to companies about ity of geo-location by allowing consumers to earn badges their customers. Combining customers’ data profile with based on the number of places they’ve checked into. The their precise geographic location can be clearly beneficial company recently introduced a tool that allows partici- to a company’s promotional efforts. In the absence of a pating businesses to see data on their Foursquare-using comprehensive federal privacy framework addressing geo- customers: number of check-ins, how many check-ins location, how should legal advisors counsel companies seeking to capitalize on this exciting technology? What 3
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010type of obligations does this type of data collection trigger loyalty-based program for its users using geo-location ser-under current federal and state laws? vices like Loopt or Foursquare? In such cases, it’s a good idea to review the terms of service and privacy policies ofHere are some important points to remember when coun- other parties implicated by the agreement.seling clients on the data security and privacy implicationsof using location apps in a product or marketing strategy: For example, if your client is developing a mobile app with geo-location features for the iPhone, then you will wantKnow Your App to review Apple’s iPhone developer agreement to makeFactual due diligence is very important when counseling sure that the technology meets Apple’s requirements forcompanies around the use of geo-location and location iPhone apps. For instance, a recent version of the iPhoneapps. It is important to be mindful of policies around the Developer Agreement requires that all iPhone apps thatcollection and storage of geo-location data, and whether use “location-based APIs” be compliant with “all appli-that data can be linked to individual users.15 When com- cable privacy and data collection laws and regulations….”17bined with personal information, geo-location data can be Once the location is deployed, it’s a good idea to monitorextremely sensitive. The ability to create a “super data pro- partner policies for important changes. For example,file” – that merges a user’s personal information with their Apple recently announced changes to its developer policylocation – has raised privacy concerns with both consumer that prohibits use of the iPhone’s geo-location features foradvocates and regulators.16 apps that are designed primarily to deliver targeted ads.18Ideally, the legal advisor would already be familiar with the Once the factual due diligence is complete, and before thecompany’s business model and technology. A preliminary location app or service is launched, the company shouldstep would be to review the company’s existing informa- amend its information security practices, as well as its pri-tion security practices to determine what type of personal vacy and other notices, to reflect the collection and use ofinformation is already being collected and the data flows geo-location data.for that information. Next, the legal advisor would needto determine how the location app would collect data, how Do FTC Principles on Behavioral Advertisingthat data would be stored, and what data flows are involved. Apply? Two years ago – in a particularly prescient move - the FTCThe data flow question is critical. To get the full answer, held a town hall meeting on mobile marketing, where itthe legal advisor will need to ask questions about whom the specifically discussed the privacy impact of location-basedcompany is partnering with for development, deployment, services.19 The FTC’s findings from that workshop are in-and marketing of the location app. Will the company share cluded in a report discussing the FTC’s Self-Regulatorygeo-location data with an online advertiser or marketer? Principles for Behavioral Advertising.20 The four Princi-Will the company host the location app on its own mobile ples21 are not binding regulations or statutes, but they door Internet website, or on a social-media platform like provide guidance for self-regulatory efforts. They are:Facebook? Does the company want to develop a virtual 4
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010Principle 1 - Transparency and Control; is inconsistent with its privacy policy, may be liable un-Principle 2 - Reasonable Security and Limited Data Re- der state and federal26 deceptive trade practices laws. To tention of Consumer Data; avoid this type of risk, companies should make sure that their data collection and use matches what is laid out in thePrinciple 3 - Affirmative Express Consent for Material company’s privacy policies and notices. Retroactive Changes to Privacy Promises; and A company can also be found to have engaged in an “un-Principle 4- Affirmative Express Consent to (or Prohibi- fair” practice under federal27 and state28 laws for failing to tion Against) Sensitive Data. protect personally identifiable data.The Principles specifically apply to companies engaged in With the proliferation of location apps on smartphones,“behavioral advertising” – which is defined as “the track- companies may need to start thinking about different,ing of consumers’ online activities over time … in order to more creative forms of notice29 to comply with federaldeliver advertising targeted to the individual consumer’s or state laws – or risk losing users who eventually tire ofinterests.”22 The Principles omit first-party advertising, being notified every single time the app is opened. Takei.e., ads generated in response to a single website visit or the example of a mobile store locator app – a notificationsearch query, from the definition. each time you open the app to locate a store would be re-Based on the testimony at the 2008 Town Hall and other dundant, especially since you are electing to have the appcomments, FTC staff has recommended that “precise geo- guide you to the store’s location in the first place. A less in-graphic location” be classified as a sensitive category of trusive method, which would be just as effective, could beinformation – one that deserves “heightened protection.”23 an initial notification – supplemented by key reminders forAs we saw earlier, FTC staff also recommend that an “af- important events like software updates.firmative express consent” or user opt-in be obtained forcollection of sensitive data. Since the Principles are in- Federal and State Data Security Obligationstended to provide self-regulatory guidance, companies In instances where geo-location data is being combinedshould strongly consider using opt-in notice for location with personal data to provide a service, legal advisorsapps – especially if they also plan to use the collected data should be mindful of obligations that certain types offor target advertising efforts. companies have under other federal and state laws for collection and protection of personal information. TheseBe Aware of Liability under Deceptive or include:Unfair Trade Practices Laws Children’s Online Privacy Protection Rule – Under au-Under Section 5 of the FTC Act,24 and similar state stat- thority from Congress, the FTC has issued rules governingutes,25 companies can be prosecuted for privacy violations the online collection of personal information from chil-stemming from a “deceptive” notice. Put differently, a dren, which applies to websites and online services thatcompany that captures data for one purpose, and then are directed to children under the age of 13.30 The FTC isproceeds to use that same data for another purpose that 5
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010currently reviewing COPPA and considering, among other State Security Breach Notification Laws – a majoritythings, whether to expand the definition of “personal in- of states have laws that require consumers to be notified information” under the rule to include “mobile geo-location the event that their “personal information” is “breached.”37data.”31 State Safeguard Laws – eight states, including Califor-HIPAA32 and FTC Health Breach Rule – If the com- nia, Maryland and Texas – have enacted general safeguardpany developing a location app is a “covered entity” under laws to protect personal information.38HIPAA, then activities involving personal health informa- State Business Record Disposal laws – at least 19 statestion may come under the ambit of HIPAA and the FTC’s now have laws that regulate the disposal of business re-Health Breach Notification Rule.    Under the recent HI- cords containing personal information.39TECH amendments, HIPAA obligations now apply to“business associates” of covered entities, such as third Massachusetts Data Security Regulations – obligesparty service providers.33   companies to encrypt the personal information of Mas- sachusetts’ residents.40 These encryption requirementsFACTA and The FTC Red Flag Rules – Under author- apply broadly and include personal information stored onity from the Fair and Accurate Credit Transaction or laptops as well as other portable devices.”41“FACTA,” the FTC has promulgated the Red Flags Rules,which it will enforce starting December 31, 2010. These Applicable Law from other JurisdictionsRules require that “creditors” and “financial institutions” While this article focuses on the application of U.S. law, le-develop written information security programs that iden- gal advisors should consult laws and guidance from othertify potential “red flags” for identity theft.34 Companies relevant jurisdictions. European law, in particular, maythat come within the ambit of this rule may consider red- differ from U.S. requirements. For instance, Europe’s e-flagging geo-location data – particularly if it is used in privacy Directive states that an individual’s location datacombination with personal information to deliver target- may not be stored once the service is provided – unlessed ads or services. that data is needed for billing and interconnection pur-Section 222 of the Federal Communications Act – re- poses.42 These laws continue to evolve rapidly; Mexico justquires that telecommunications providers take specific announced its first-ever Federal Law for the Protection ofsteps to secure customer proprietary network information Personal Data, which proscribes regulations for both pub-(CPNI).35 lic and private entities.43Electronic Communications Privacy Act - sets out Looking Ahead: Regulation and the Futurerequirements under which the government can access of Location Appsprivate Internet communications. This includes elevated The future of geo-location technology and location-basedprocess such as a warrant for certain categories of person- apps is closely aligned with the ongoing debate aroundal information that are considered “content.”36 what constitutes effective regulation of privacy and data 6
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010security online. This is a debate that continues to evolve being allowed to remotely power-off a lost phone to pro-in all branches of government – administrative, judicial, tect valuable data. Clearly these are valuable uses of theand legislative. The FTC has signaled its intent to articu- technology that should not be restricted due to locationallate a national framework to protect consumers’ privacy privacy, while also supporting self-regulatory approaches. It is likely that our perspective on location apps willCongress is currently considering federal privacy legis- change with increased adoption of geo-location tech-lation that will impose additional notice obligations on nologies. Already, geo-location is becoming an almostcompanies with regards to the collection and use of per- ubiquitous feature of the mobile web – a feature that en-sonal data.44 Privacy legislation has been introduced in hances other applications and services. Will widespreadCongress that classifies “precise geolocation information” adoption of this technology eventually alleviate privacyas sensitive data, and would require that the user spe- concerns about its use? Much of that answer will lie incifically opt-in to use of this type of data for advertising how favorable the user experience is with the technology,purposes. Finally, in a decision that will likely impact pri- and whether people are able to trust that their personalvacy analysis for all types of electronic communications, information will not be compromised by use of a locationthe Supreme Court is currently considering the important app or service. One thing is certain – it is likely that thequestion of whether there is a reasonable expectation of rules governing the collection and use of geo-locationprivacy in text messages sent by government employees data will change in the near future. Legal advisors andunder the Fourth Amendment.45 practitioners should continue to monitor all activity –In addition to government attention on the issue, con- government-initiated, as well as those in the court ofsumer advocates have been publicly vocal about their public opinion.policy concerns with geo-location. These concerns most- Saira Nayak is a Principal at Nayak Strategies, wherely focus on the ability of governments and other entities to she counsels companies on privacy and data compliance,create comprehensive data profiles that may compromise as well as regulatory outreach.   She can be reached ata user’s locational and other privacy.46 The Electronic  The information containedFrontier Foundation, in its whitepaper on locational pri- in this article is not intended as, nor should it serve as avacy, highlights two additional concerns: retention of substitute for, legal advice, which turns on specific facts.geo-location data may subject a company to legal requestsfor data, and storing geo-location data over extended pe-riods of time will increase the likelihood of identity theft. Endnotes 1 Apparently, “geo-location” is the tech buzzword of the year.Proponents argue that the geo-location has some very Daniel Ionescu: Geolocation 101: How it Works, the Apps,beneficial uses – some of which have yet to be discovered and Your Privacy, geolocation_101_how_it_works_the_Apps_and_your_privacy.– and that over time, these benefits will outweigh the html (last visited May 14, 2010)privacy concerns about the technology. Consider, for in- 2, Geo-location,, the utility of being able to locate a lost phone, or Geo-location (last visited May 14, 2010) 7
  • The Secure Times VOLUME 5, NO. 1 | SPRING 20103 Stephanie Clifford, Linking Customer Loyalty with Social 16 Marshall Kirkpatrick, Location Data Sensitive Like Medical Networking, New York Times, April 28, 2010, http:// Information, Says Congressional Witness, http://www. html?emc=tnt&tntemail0=y medical_information_s.php (last visited May 14, 2010).4, Geo-location Software, http://en.wikipedia. 17 iPhone Developer Program License Agreement, § 3.3.7., http:// org/wiki/Geolocation_software (last visited May 14, 2010) (last visited May 14, 2010).5, Location-Based Service, http://en.wikipedia. org/wiki/Location-based_service (last visited May 14, 2010) 18 Bruce Chen: iPhone Devs Not Allowed to Use Geo-location Just for Ads, Sarah Perez: iPhone OS International Growth on the Rise, Still apps-not-allowed-to-use-geolocation-just-for-ads/ (last Dominates Mobile Web Traffic, visited May 14, 2010). archives/iphone_os_international_growth_on_the_rise.php (last visited May 14, 2010) 19 See generally Transcript of Town Hall Record, Beyond Voice: Mapping the Mobile Marketplace (May 6, 2008)7 This is how you can post your Foursquare check-ins on Facebook (Session 4, “Location-Based Services”), available at http:// or add your current location to your tweets. transcripts/050608_sess4.pdf8 Emily Bryson York: McDonalds to Use Facebook’s Upcoming Location Feature, 20 FTC BA Principles Report, id=143742 (last visited May 14, 2010) P085400behavadreport.pdf9 Simon Salt: What’s Next For Geolocation? Apps, Apps, Apps, 21 Id. at 30 – 42. geolocation_apps_apps_apps.php (last visited May 14, 2010) 22 Id. at 46.10 Shopkick Signs Major Partnership Deals with Best Buy and 23 Id. at 42. Macy’s in Lead-Up to App Launch in the Summer, http://www. (last 24 15 U.S.C. § 45 (a)(1). visited May 14, 2010). 25 See, e.g., Massachusetts Consumer Protection Act, Mass. Gen.11 Loopt, (last visited May 14, 2010). Laws. Ch. 93A §2(a) (2009)12 Foursquare, (last visited May 14, 26 See, e.g., In the Matter of Microsoft Corp., FTC Docket No. 2010). C-4069 (Dec. 20, 2002) (alleging that company violated privacy promises for its Passport product).13 Yipit, (last visited May 14, 2010). 27 15 U.S.C. § 45 (a)(1). See, e.g., Life is good, Inc., FTC Docket No. C-4218 (Apr. 16, 2008) (alleging that the company violated14 Dan Butcher: Pepsi rolls out multifaceted LBS mobile loyalty promises about the security provided for customer data); initiatives, Petco Animal Supplies, Inc., FTC Docket No.C-4133 (Mar. 4, database-crm/6138.html (last visited May 14, 2010). 2005) (same).15 FTC staff has recommended that “precise geographic location” 28 See, e.g., Cal. Bus. & Prof. Code, §17200 (West 2009). be given “heightened protection.” FTC Staff Report, Self- Regulatory Principles for Online Behavioral Advertising 29 It is notable that the following language was added to the final (2009) (FTC BA Principles Report) at 42, version of the FTC Behavioral Advertising Report: “Where the os/2009/02/P085400behavadreport.pdf. data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.).” FTC BA Principles Report, at 48. 8
  • The Secure Times VOLUME 5, NO. 1 | SPRING 201030 16 C.F.R. § 312. 44 Rep. Boucher and Rep. Stearns introduced a discussion draft of the yet un-named legislation on May 4, 2010. http://www.31 See FTC Seeks Comment on Children’s Online Privacy Protections; Questions Whether Changes to Technology Warrant Changes to Agency Rule, 45 See generally City of Ontario v. Quon, 529 F.3d 892, cert. opa/2010/03/coppa.shtm granted, (U.S. Dec. 14, 2009) (No. 08-1332).32 42 CFR Part 2. § 164.501. 46 The Electronic Frontier Foundation has published a white paper on locational privacy which is defines as “the ability of33 See Complying with FTC’s Health Breach notification rule, an individual to move in public space with the expectation that under normal circumstances their location will not be shtm systematically and secretly recorded for later use.” Andrew J. Blumberg & Peter Eckersley: On Locational Privacy, And How34 Identity Theft Red Flags and Address Discrepancies Under to Avoid Losing it Forever, the Fair and Accurate Credit Transactions Act of 2003, 16 privacy (last visited May 14, 2010). C.F.R. § 681 (2007).35 CPNI data includes phone numbers called, frequency, duration and timing of such calls and related services purchased by the Will Laws That Build Upon PCI-DSS consumer. 47 U.S.C. §151 (1996). Lead to Greater Security?36 The Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2510. By Chris Nutt and Frank Nagle37 See, e.g., Fla. Stat. Ann. §817.5681 (1)(a) (2009). According Minnesota, Nevada, and Washington have enacted laws to a recent post on the Proskauer privacy blog, 46 states – with the exception of Alabama, Kentucky, New Mexico, and that provide financial institutions, e.g., banks, with the South Dakota – now have data breach laws. http://privacylaw. ability to recover the costs of reissuing payment cards late-to-come-to-the-party-mississippi-joins-45-other-states- after cardholder data has been stolen. With re-issuance by-enacting-a-security-breach-notification-law/ costs estimated to be between “$20.00 and $50.00”1 for a38 California enacted the nation’s first general information single card, this could have a tremendous impact on many safeguard law. Cal. Civ. Code §1798.81.5(b) (2009). organizations.39 See, e.g., Cal. Civ. Code §1798.81 (2009). Each state has its own requirements for protecting card-40 Standard for the Protection of Personal Information of holder data, but most state laws rely, to some extent, on Residents of the Commonwealth, 201 CMR 17.00 (2009), the Payment Card Industry Data Security Standard (PCI- pdf DSS). It is clear, for example, that the PCI-DSS standards41 201 CMR 17.04(5) . have impacted the state laws in Minnesota,2 Nevada,3 and Washington.4 In this article, we review the technical re-42 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of quirements of PCI-DSS to examine whether they will personal data and the protection of privacy in the electronic positively impact security and reduce payment card fraud. communications sector (Directive on privacy a nd electronic communications), Article 9, para 1, OJ L 201, 31.L7.2002. Our analysis of PCI-DSS is split into two sections:43 The law also provides for up to $1.5 million in penalties for weaknesses and strengths. Contrasting the technical violations. ta&sm=1001&id=2879&lg=61 (last visited May 14, 2010). requirements with real world implementation of best 9
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010practices in various industries, including those not sub- network introduces risk that the data will be intercepted.ject to PCI-DSS, we attempt to identify whether PCI-DSS’s This is especially true because PCI-DSS does not requiretechnical requirements will “enhance cardholder data se- networks that store, process, or transmit cardholder datacurity.” to be isolated from general purpose computing systems.5 This exposes cardholder data to risk from a breakdown inWeaknesses physical security (for example, an attacker connecting anThere are several weaknesses in the PCI-DSS technical external device to the network), as well as from generalrequirements, three of which are discussed in the fol- purpose computing systems that have been compromised.lowing sections. We chose to discuss these three specific Because general computing systems are used to access theweaknesses in PCI-DSS because the recommendations Internet and email, they are much more likely to be com-are widely accepted security practices and their imple- promised. When these systems are not segmented frommentation would substantially increase the protection of networks where cardholder data is stored, processed, orcardholder data. transmitted, they could be used to target cardholder data transmitted over a shared medium.1. Encryption of Network TrafficPCI-DSS requirements do not adequately protect cardhold- To reduce the risk of cardholder data being stolen duringer data when it is transmitted across computer networks. transmission, PCI-DSS should require that cardholderEven though PCI-DSS requirement 4.1 requires the “use of data be encrypted anytime and anywhere it is transmitted.strong cryptography and security protocols such as SSL/ 2. Application PrivilegesTLS or IPSEC to safeguard sensitive cardholder data dur- PCI-DSS also does not require the concept of “least priv-ing transmission,” the standard falters in that it limits ilege” to be applied to application accounts. PCI-DSSwhere these cryptosystems are required. The standard requires least privilege to be applied to user accounts, butspecifically states that cryptography need only be used says nothing of the level of privilege assigned to applica-over open, public networks, such as the Internet, wireless tion accounts. PCI-DSS requirement 7.1 addresses leasttechnologies, Global System for Mobile communications privilege only from the perspective of “need to know,”(GSM), and General Packet Radio Service (GPRS). While meaning only users filling job roles that require access toit is important to encrypt sensitive information over open cardholder data should have access to cardholder data.networks, it is equally important to secure sensitive datatransmitted over any network, including an organization’s Least privilege, however, is equally important for accountsLocal Area Network (LAN) – the network that connects used to run applications, especially when these applica-computer systems in a small physical area. tions have access to sensitive data. In order to function, applications must have access to system resources. As withSensitive data must be encrypted whenever and wherever user accounts, application accounts are often assignedit is transmitted because the security of the media and privileges in excess of those required for the application tonodes cannot be guaranteed, even on a LAN. Having card- function properly. Taken alone, this is not a tremendousholder data transmitted unencrypted on any computer 10
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010risk because an attacker must first be capable of having by default until the release of Microsoft Windows Vista.the target application perform unintended tasks on the at- Since every Microsoft operating system prior to Windowstacker’s behalf. Unfortunately, injection vulnerabilities, 6 Vista stores passwords that are less than 15 characters aswhich result in an attacker executing code, other appli- an LM hash, this vulnerability is a substantial risk to manycations, or commands in the context of the application’s organizations. While an attacker must be able to place andaccount, are very common and difficult to identify. Once execute tools on a target system to access the LM hash, thisa vulnerability is identified, excess privileges assigned to has proven to be a simple task in many application account could permit an attacker to access PCI-DSS should require applications to use secure encryp-additional systems or data, posing a substantial risk to tion and authentication protocols outside of the contextcardholder data. of wireless networks. This also is in line with a layeredPCI-DSS should require applications to be run with the defense strategy, and would greatly mitigate the risk tominimum privileges necessary to operate properly. This is cardholder line with a layered defense strategy, and would mitigatethe risk to cardholder data. Strengths PCI-DSS requirements do not address all security con-3. Legacy Encryption and Authentication cerns or all security best practices, but the requirementsProtocols do a good job of identifying first steps to protecting sen-The PCI-DSS standards also do not prevent the use of in- sitive data. Our experience has shown that security bestsecure authentication protocols. Legacy encryption and practices are rarely implemented when not required byauthentication protocols are mentioned only in the context an authoritative body such as the PCI Security Standardsof wireless networks. There are, however, legacy encryp- Council. Organizations often wait until they have beention and authentication protocols that are frequently compromised and specific security best practices are rec-leveraged by attackers to obtain unauthorized access to ommended to them by an incident response firm. Becausesystems and data. One of the most common is the legacy PCI-DSS requires adherence to a subset of security bestLAN Manager hash (LM hash). practices that reduces risk and mitigate attacks, we believePassword hashes are a way of storing and authenticating that PCI-DSS improves security, and that laws that utilizea user without storing the user’s password in clear text. PCI-DSS requirements as their basis will similarly helpIn the Microsoft Windows7 95 and Windows 98 operating improve, the LM hash was used to store user passwords. In the sections below, we identify five specific PCI-DSS sub-The LM hash is a legacy method for storing passwords, requirements that are important to the overall defense ofand has substantial weaknesses8 that would allow an at- an organization and an effective incident response. Thesetacker to obtain a password from a password hash within requirements highlight the strengths of PCI-DSS.seconds. For backward compatibility, LM hash supportwas built into all Microsoft operating systems and enabled 11
  • The Secure Times VOLUME 5, NO. 1 | SPRING 20101. Log Analysis and Retention 2. File-Integrity MonitoringTwo of the five sub-requirements we chose to highlight Another sub-requirement that can significantly help withoriginate from Requirement 10: “Track and monitor all ac- early detection of incidents is sub-requirement 11.5: “De-cess to network resources and cardholder data.” Tracking ploy file-integrity monitoring software to alert personnelaccess to systems and resources, especially those con- to unauthorized modification of critical system files, con-taining cardholder data, is essential to properly respond figuration files, or content files; and configure the softwareto a security incident. The ability to utilize this data for a to perform critical file comparisons at least weekly.” File-timely response after an intrusion relies upon both a regu- integrity monitoring software regularly checks importantlar review of logs and the availability of a long log history. system files that are often altered by an attacker during anThese two issues are addressed by requirements 10.6: “Re- intrusion. By checking the integrity of these files at leastview logs for all system components at least daily…” and weekly, organizations will be alerted to potential intru-10.7: “Retain audit trail history for at least one year, with a sions in a timely manner. Although file-integrity productsminimum of three months immediately available for anal- are freely available,10 most companies do not utilize thisysis.” Requirement 10.6 is crucial for early identification fundamental defense mechanism due to a lack of familiar-of intrusions, but logs are rarely reviewed on a daily basis ity with the workings of these types of products. We havein the real world. While free log aggregation and analysis performed many investigations where proper file-integ-tools are available, merchants often do not utilize these 9 rity checking would have alerted the organization to theproducts, and in many cases logs are never reviewed. breach much sooner than it was actually detected.In many investigations, we find that log analysis could 3. Vulnerability Scans After Significant Networkhave detected the incident, potentially reducing the win- Changesdow of exposure during which the attacker has access to Many of the PCI-DSS requirements deal with taking pro-the system. Logging as required by PCI-DSS results in a active actions to prevent intrusions from happening. Onelarge amount of log files. If these files are not analyzed in key sub-requirement that falls into this category is sub-an automated and timely manner, security incidents will requirement 11.2: “Run internal and external networkgo undetected. Requirement 10.7 is critical for enabling vulnerability scans at least quarterly and after any signifi-investigators to properly understand the full scope of an cant change in the network.” PCI-DSS defines “significantintrusion. Because incidents are often not detected in a changes” as including, but not limited to, the following:timely manner, it is important for organizations to retaina long history of logs. We have performed a number of in-  New system component installations;vestigations where important log information had not  Changes in network topology;been saved, which drastically impeded the investigation.  Firewall rule modifications;As PCI-DSS is adopted by state legislatures, sub-require-  Product upgrades.ments 10.6 and 10.7 will force companies to better position All of these events have the ability to significantly alterthemselves to detect and respond to intrusions. the security landscape of the network. The security of 12
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010the network should be re-assessed after any such changes. five sub-recommendations to be crucial aspects of a secureGetting a quarterly vulnerability scan by an approved ven- environment that are often overlooked due to a lack ofdor is one of the basic requirements of PCI-DSS, and most education about the importance of these defensive mecha-merchants who are familiar with the requirements under- nisms and a lack of skill and time to implement them. Asstand and obtain such a scan. As states permit PCI-DSS PCI-DSS becomes more incorporated in state (and poten-compliance to form the basis of legal action, companies tially federal) law, these sub-recommendations will helpwill be forced to better prevent intrusions by complying organizations properly position themselves to react quick-with sub-requirement 11.2. ly and effectively to an intrusion when it occurs.4. Incident Response Plan ConclusionFinally, we highlight the last sub-recommendation in As more states build upon PCI-DSS to create laws, mer-PCI-DSS, 12.9: “Implement an incident response plan. Be chants will no longer face just fines from the PCI Councilprepared to respond immediately to a system breach.” We when they are not PCI-DSS compliant, they will also facehave seen organizations both large and small that are not a variety of legal actions. Exactly how these legal actionsproperly prepared to handle an intrusion, and often do will affect small and large businesses remains uncertain.not have any predetermined course of action when such It is certain, however, that if these laws force merchantsan incident occurs. Having a plan to deal with intrusions to fully comply with PCI-DSS, then these merchants willis already a requirement for government organizations have a much higher security baseline making it harder,under the Federal Information Security Management although not impossible, for attackers to compromise pay-Act (FISMA). A completed plan gives organizations the ment cards. As with many laws, PCI-DSS-related laws willability to rapidly handle intrusions when they occur, and only be as strong as their enforcement. PCI-DSS in its cur-often greatly reduces the impact of intrusions. While re- rent form relies on smaller merchants to self-certify thatsources are freely available11 that offer templates for such they are compliant, and many merchants do not even goplans, many organizations are not aware that this essen- that far, often never filing the appropriate paperwork totial policy is required or even necessary. This can result in show compliance. If PCI-DSS-related laws are not active-a chaotic response when an incident does occur. Not only ly enforced, then it is likely that this non-compliance willdoes PCI-DSS require the creation of an incident response continue into the future. With effective enforcement, PCI-plan, it also requires that this plan be tested annually, and DSS has the potential to significantly impact the securitybe modified to include lessons learned from actual intru- of merchants’ networks positively.sions. Testing and keeping the incident response plan as aliving document are important steps in ensuring the orga- Chris Nutt is a Managing Consultant at MANDIANTnization is in a constant state of readiness for dealing with where he is responsible for incident response investigationsintrusions. and training in incident response. Over the past six years Mr. Nutt has worked with the Fortune 500, the federalWhile all of the recommendations within PCI-DSS help government, and federal law enforcement to investigatean organization secure its information, we consider these 13
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010and remediate complex computer intrusions. Frank The New Wave of Privacy and DataNagle is a Senior Security Consultant at MANDIANT Security Considerations Affectingwhere he performs vulnerability assessments, incident Cross Channel Marketing byresponse for PCI and non-PCI related intrusions, and Retailersincident response training. Benita KahnEndnotes The Shift in Cross Channel Strategies1 Ten years ago it was not unusual for retailers to reach their minnesotas-plastic-card-security-act/ customers through multiple channels that included brick2 Minnesota Plastic Card Security Act (H.F. 1758). and mortar, phone, direct mail and an e-commerce site,3 Nevada Security of Personal Information Law (NRS-603A). with most of the emphasis in the first three categories.4 Protecting Consumers from Breaches of Security (HB 1149). Over the past ten years, however, the number of Internet users has increased five-fold from 360 billion users to over5 General purpose computing systems are those not used for purposes other than storing, processing, or transmitting 1.8 trillion users.1 In a recent survey, it was determined cardholder data. that 74 percent of American adults use the Internet and,6 Injection occurs when user-supplied data is sent to an interestingly, 55 percent of American adults connect to interpreter as part of a command or query. Attackers trick the the Internet wirelessly with WiFi connections on laptops interpreter into executing unintended commands via supplying specially crafted data. or handheld devices like smartphones.2 The growth in the use of mobile phones is particularly notable, with 91 per-7 Windows is a registered trademark of Microsoft Corporation in the United States and other countries. cent of Americans as mobile subscribers and 257 million8 Summers, W., Bosworth, E., “Password Policy: The Good, The “data-capable” devices active on U.S. carriers’ networks.3 Bad, and The Ugly,” Proceedings of the WISICT, Vol. 58 (2004). All of this connectivity and mobility is changing the focus9 Splunk 4.1,; OSSEC 2.4, http://www. of the multi-channel retailer and explains why retailers are interested in new ways to make use of these mobile10 Tripwire 2.4.2,; channels. Osiris 4.2.3, Not only are we seeing changes in the types of multi-11 U.S. Dept. of Commerce, NIST Special Publication 800-61: Computer Security Incident Handling Guide,” National Institute channel communication, but we are also seeing more cross of Standards and Technology (Mar. 2008); American Institute channel integration. Customers are researching, shop- of Certified Public Accountants, “AICPA Incident Response Plan Template For Breach of Personal Information”(2004). ping, and returning in any combination of channels and in ways that were not predicted a few short years ago. It is now commonplace for retailers to serve coupons to cus- tomers through text messaging and honor the coupon by merely having the customer show the code to the sales associate. With 50 million smartphones in service in the 14
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010United States, retailers can take their marketing beyond goals, however, should benefit the consumer by drivingsending a coupon by text message with applications that down prices with the improved efficiencies in market-can be downloaded to the smartphone. Apple recently dis- ing. The goals should also result in providing consumersclosed that it has over 100,000 applications in its App Store with relevant solutions to their needs. Email providesand over 3 billion apps have been downloaded. Many of 4 a good example of the economic incentive cycle. Emailthese apps make use of geolocation information that is grew so quickly because it was more efficient than postalincluded in the mobile unit, which allows very specific re- marketing. But with the growth of email, consumers weregional marketing. The speed with which the first 500,000 overwhelmed and much of the email was landing in bulkI-Pads were sold suggests more engagement with technolo- mail folders. The lesson learned was that sending what thegy by consumers while on the move. The ability to connect customer wants means sending less email with a higher re-with these engaged individuals by offering WiFi in stores sponse rate. The benefit to consumers – a more targetedor through geolocation information while the customer is the store creates instant cross channel experiences. Meeting the goals of a cross channel strategy requires data.During this time, retailers have also begun to place more Retailers need data to respond more quickly to changes invalue on the role privacy plays in gaining the trust of their demand patterns, to reduce out of stocks, to match productcustomers. A recent survey of retailers shows the emer- offerings to the right customer, and to improve customergence for the first time of the significance of privacy and service. The technology that has allowed the gatheringsecurity to cross channel marketing, which is noted as a of this information has been accomplished through suchtop business opportunity. Forty-seven percent of those things as point of sale (POS) scanning, electronic paymentretailers surveyed indicated that proactively addressing options, loyalty programs using swiped cards, and elec-privacy and data security will enable them to move for- tronic order management. To accomplish better offerings,ward with an aggressive cross-channel strategy.5 This however, requires aggregation and integration of data,shift also shows the importance of a cross channel strat- which increases risk and complexity. The numerous dataegy, which is requisite to keeping a competitive position. breaches over the last several years has demonstrated theSo there is little doubt that the retailer/customer interac- risk and economic cost associated with collecting greatertion will incorporate many channels and new methods of amounts of electronic data.communication. How privacy will be addressed in this The complexity results from both state and federal laws.quickly-changing communication process is a topic that is If information is obtained from the issuer of a retailer’sgarnering much attention. private label credit card, Gramm-Leach-Bliley concernsThe Role of Privacy in the Economic are raised. For example, how is the source of the dataIncentive designated in a database? Given that the data can only be used in the manner the financial institution could use theGoals for the cross channel strategy are to drive traffic, data, there must be some means to designate that in thegenerate incremental sales, and grow sales volume. These database as well. At the state level, Massachusetts has im- 15
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010posed very detailed data security requirements that must information risk management in more progressive com-be addressed when storing and transmitting data. These6 panies.rules, which went into effect on March 1, 2010, require This is all while keeping in mind that privacy is not justimplementation of a comprehensive information security excluding or not collecting data, but rather is about un-program covering access controls, encryption, up to date derstanding the desires and boundaries of the retailsoftware and patching, firewalls, monitoring of systems, customer. It means developing trust and having a conver-and training. Washington, Minnesota, and Nevada have sation with the customer through the channel selected byimplemented data security requirements linked to an in- the customer and providing the information the customerdustry imposed standard – the Payment Card Industry wants to hear. Reaching the goals of data security, vendorData Security Standards – resulting in a need to continu- management, oversight, and trust needed for a cross chan-ally update compliance measures. nel strategy, will require an enterprise-wide focus. ForRetailers must also ensure that uses of data match the success, policies must be driven from the top, define ac-promises that were made when the data was collected. As countability, and then communicated, implemented, andpart of this, a lesson that can be derived from some of the trained through thoughtful processes. The enterprise-FTC consent decrees is management of third party ven- wide policies should allow for privacy by design – bringingdors and the need to conduct due diligence, monitor, and in all the necessary players at the front end of a marketingcontractually control those vendors.7 These third party project, such as marketing, privacy, information technol-vendors run the gamut from providers of applications for ogy, information security, finance, risk management, andthe smartphones to database management to providers of legal.text message marketing campaigns. There must be a pri- The economic incentive does not rest solely in the handsvacy professional involved in each aspect of planning at the of the retailer. Consumers have begun to understand theoutset who, first, must fully understand how the technol- risk/reward value proposition when sharing their dataogy will work. Without this knowledge, it is not possible and privacy plays a role in this equation. As a result, re-to accurately disclose data uses at the time of collection. tailers also need to understand the role of privacy in theThere must also be oversight of what will be collected, risk/reward equation and examples help demonstratewho will retain and/or own the data (including evalua- this. For consumers, the value of TJX is its discountedtion of whether the retailer is merely building its vendor’s retail product. As a result, even after a significant datadatabase), how the data will be stored and secured, due breach, consumers went back to TJX. But compare thisdiligence with vendors, and, finally, the end of the life cycle to a that allows consumers to aggregate finan-of the data – its destruction. It is too difficult to reverse cial account information across multiple institutions. Aengineer the process later to implement these privacy pro- core value of is trust, which also means controltections. As a result of the complexity and the need for by the consumer. If were to have a data breach,greater oversight, “privacy” as an isolated consideration it would lose this trust and likely many of its consumers.has transitioned to a broader information governance or Knowing where the retailer stands on the value/risk/trust 16
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010continuum will also be essential in planning information collected. The settlement approved by the FTC for assert-governance and marketing strategies. ed deception and unfairness violations by Sears Holdings Management Corporation (Sears) has provided additionalThe Shifting Regulatory Focus support to question the validity of notice and consent.10Not surprisingly, with this change of focus in cross channel There also is questioning of whether it still makes sense tomarketing and more emphasis on the mobile marketing make a distinction between personally identifiable infor-channel, new privacy and data security considerations are mation and non-personally identifiable information.being raised by regulators and legislators. Over the last five The problem with eliminating notice and consent is that noto ten years, data breaches forced the focus of regulators on obvious replacement has yet to appear. There are, however,data security. During this time, however, companies were some consistent themes emerging. Regulators believe thatfiguring out how to make use of data that is collected and privacy policies are too complicated, too vague, and toowere creating a knowledge economy, which may ultimately long for consumers to understand. Further, if there is to bemake privacy an important non-price element of compe- consent, it must be informed consent. As implemented intition. The recent FTC workshops8 and proposed privacy the Sears consent decree, this requires disclosure of useslegislation9 indicate a shift back to a focus on privacy. of data and whether such data will be shared with thirdConcerns are being raised relating to new risks to privacy parties in a manner that is clear, conspicuous, and un-management, the user-generated nature of the Internet, avoidable when considering size, color, contrast, location,and the transition to ever-expanding marketing through duration, and must be readable and understandable. Themobile-based communication channels. The issues under task ahead is how to make disclosures clear and conspicu-consideration are changing the historic view of privacy. ous when moving from a 17” screen to a 2-4” screen on aQuestions are being asked as to the need for a new para- smartphone. As important will be how to make disclosuresdigm to match the fast-paced changes. Specific paradigms clear and conspicuous prior to a consumer downloading anthat are being questioned include notice and consent and application that collects and uses data about the consumerthe concept of personally identifiable information and through the smartphone. Suggestions so far include re-what that includes – all while trying to maintain the long placing privacy policies with a nutrition-type disclosure orstanding privacy principles of fair information practices: a recognizable icon to scroll over. Another approach beingnotice, choice, access, redress, and accountability. discussed is proportionality. This would suggest limiting the amount of data collected to avoid nefarious uses later,Currently, there are more questions than solutions. There and, as a result, limited collection would mean limited useis definite chatter that the concepts of notice and consent, and limited need for retention.and particularly privacy policies for the notice, may haveoutlived their usefulness. In the recent workshops, the There are also questions about the need for policies andFTC staff frequently cited a recent survey in which the notices to consumers to cover all information collected,majority of consumers believed a company with a privacy whether online or offline. Historically, retailers could lim-policy meant the company would not share information it privacy policies to only the information collected online. 17
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010But with the merging of offline and online through cross and legislators insist that the FTC investigate the privacychannel marketing, regulators are questioning whether gaffes that occurred when these were introduced. This hasthis model still works. For example, an online-only privacy led to an emphasis by the FTC on Privacy by Design – inpolicy does not address how retailers will have meaningful other words, build privacy into the development life cycleconversations with customers about these issues at their at the outset.stores. When considering disclosures required for credit, Accountability. Someone in the organization must havestate laws on return policies, tax issues, contract issues a 360 degree view across all channels and all brands. Pri-such as posting paycard association logos, there is little vacy governance models that are adopted must reflect thespace left at the point of sale to disclose more. And with all new cross channel world. This governance includes un-of the other disclosures, it is unlikely that customers will derstanding the technology being used by your companyread the postings. and its vendors and administering the necessary controls.There are also concerns over the concept of personally Data Minimization. This has been a long-standingidentifiable information, and whether PII can continue in principle, but the business imperative to enhance thea world where even anonymous data can be combined with economic incentives will turn this into a push/pull conver-enough other data to link it to email addresses, postal ad- sation. Someone will need to be there to make the correctdresses, names, and other information to initiate targeted decisions for the David Vladeck, the Director of the Consumer Transparency. Keep in mind that the privacy profes-Protection Bureau at the FTC, stated at the recent FTC sional will have a different understanding of this termprivacy workshops that the distinction between PII and than the marketing professional. The privacy view is toanonymous information is a thing of the past. Director have policies regarding collection and use visible, clear,Vladeck therefore believes the question is how to build in and conspicuous. The marketing group understanding oftransparency in clear and simple terms.11 As a result, the transparency is making it non-intrusive. Someone mustFTC appears to be moving away from PII and towards translate these differences and apply the risk/reward con-whether data can be tied to a person or device. This may tinuum to the conversation.lead to the possibility of including IP addresses as data thatshould be included in disclosures. All of this means that the “simple” job of the privacy officer is becoming more complex. Not only will there be a con-Conclusion tinuing need to understand and comply with numerousRetailers should take away four key messages with respect privacy obligations, but it will now be necessary to build ato privacy going forward: strong relationship between marketing and privacy. With the focal point of data security, privacy officers workedPrivacy by Design. The Facebook beacon and Google closely with the information security professionals in theirBuzz implementations are both examples of where priva- company who protect confidentiality. The new relation-cy considerations were not considered sufficiently before ships that must be built for the cross channel strategy willgoing public with these functions. Both privacy groups 18
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010involve a much more complex group than just informa- 5 The survey was conducted and reported by Retail Systems Research. The full results of this survey on “Building Trusttion technology. To allow the sharing of information, for and Growing the Brand: The Role of Privacy and Security inexample, this group will likely involve different members Retail 2010” can be found at http://www.retailsystemsresearch. com/_document/summary/1062, accessed on April 12, 2010.of information technology who are the database adminis- Of interest is that when the survey was taken in 2008, crosstrators. As retailers have begun to recognize, growing the channel agendas did not show up as a business opportunity, asbrand through this cross channel strategy requires that 74 percent had reduction of breach risk as their most important business opportunity and 59 percent stated PCI compliance asprivacy has an important seat at the table and it is the pri- the top priority.vacy professional who will need to act as the liaison among 6 See Massachusetts 201 CMR 17.00: Standards for the Protectionmarketing, finance, compliance, and technology. of Personal Information of Residents of the Commonwealth.Benita Kahn is partner a in the Columbus, Ohio office 7 See, for example, the recently announced FTC consent decree with Dave & Buster’s, available at Vorys, Sater, Seymour and Pease LLP, and a vice opa/2010/03/davebusters.shtm.chair of the ABA’s Privacy and Information Security 8;Committee (within the Section of Antitrust). She is Chair the series of day-long public roundtable discussions exploredof the Technology and Intellectual Property Group at the broader issues than just cross channel marketing issues of retailers and, in fact, addressed the vast array of 21st cen-firm and she concentrates her practice in privacy, data tury technology and business practices that collect and usesecurity, contract negotiations and drafting, consumer consumer data, such as social networking, cloud computing, online behavioral advertising, mobile marketing, data bro-protection issues, including technology and intellectual kers, third-party applications, and other diverse businesses;property matters and other new media advertising issues. accessed May 15, 2010. 9 See content&view=article&id=1957, for the May 4, 2010 releaseEndnotes of draft privacy legislation by Representatives Boucher and1, showing Stearns; accessed May 4, 2010. statistics from December 31, 2000 until December 31, 2009; 10 See Sears Holdings Management Corporation, FTC File No. 082 accessed May 15, 2010. 3099 (2009), available at sears.shtm. As noted in the press release, the FTC charged that broadband-and-cell-phone-statistics.aspx?r=1; accessed May Sears “failed to disclose adequately the scope of consumers’ 15, 2010. personal information it collected via a downloadable software application.” While Sears disclosed it would track online3 browsing, it was only in a lengthy user license agreement, survey-91-of-americans-have-cell-phones.ars; of the 257 available to consumers at the end of a multi-step registration million data capable devices, 50 million are smartphones process that Sears further disclosed that the downloaded capable of more advanced wireless services than SMS, MMS, software would “also monitor consumers’ online secure and WAP browsing; accessed May 15, 2010 sessions – including sessions on third parties’ Web sites – and collect information transmitted in those sessions, such as4; the contents of shopping carts, online bank statements, drug accessed May 15, 2010 prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web- based e-mails.” 11 See transcripts from FTC workshops available at http://www. 19
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010Data Security and Privacy Audits: house counsel directly hiring non-attorney third partiesSteps to Protect Reports to  establish this privilege.  In both situations, the steps described below may support the assertion of the attorneyDana Rosenfeld and Kristin Hird client privilege.As enforcement activities involving privacy and data se-curity breaches increase and penalties for resulting law Application of Attorney-Client Privilege andviolations grow steeper, companies are increasingly turn- Self-Evaluative Privilegeing to privacy audits to assess and strengthen their current The attorney-client privilege provides protection from dis-practices. While a rigorous audit can identify and help a closure of confidential communications between attorneycompany to remedy vulnerabilities in its systems and and client with several exceptions. The Supreme Court’spolicies, a written audit report can pose its own dangers if seminal decision Upjohn Co. v. United States1 declined toobtained by civil litigants or regulators seeking to build a employ the “control group” test previously used to limitcase against the company. privilege claims, and held that communications even from lower-level employees may be privileged depending uponBecause there is no audit privilege established by statute the context of the communication. While the Court notedor case law for privacy and data security audits, companies that the purpose of the communication must be to securemust rely on the sometimes spotty protection provided legal advice for the corporation, it declined to adopt a brightby the attorney-client privilege, work product privilege, line rule, instead concluding that the existence of the priv-or self-evaluative privilege. This article discusses the ilege must be determined on a case-by-case basis.2 Theapplication of attorney-client privilege and self-evalua- Court approvingly cited five factors previously outlined intive privilege, and suggests best practices to increase the the modified subject-matter test of Diversified Industries,chances that an audit report will be protected from disclo- Inc. v. Meredith,3 and recognized three additional ele-sure. ments. The eight elements identified by the Court are thatOutside counsel typically perform audits with assistance the communications were made: (1) to secure legal advice;from in-house counsel, who often act in their dual capacity (2) by employees at the direction of corporate superiors; (3)as attorney and as a corporate officer. Because an in-house solicited so that the corporation could secure legal advice;attorney acting in this dual capacity  can pose its own (4) concerning matters within the scope of the employees’privilege issues, the use of outside counsel can assist in corporate duties; (5) kept confidential by the corporation;establishing privilege protection.  Alternatively, in-house (6) made to counsel acting as such; (7) were consideredcounsel may hire non-attorney support to conduct or as- confidential when made; and (8) by employees aware thatsist with  the audit.  Work by non-attorney parties hired they were being questioned so that the corporation couldby  attorneys  to assist in providing legal advice is gen- obtain legal advice.4erally  protected from discovery by the attorney-client Subsequent decisions have shown a lack of predictabilityprivilege but it may be more difficult for dual capacity in- in determining whether attorney-corporate client com- 20
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010munications are privileged. For instance, although Upjohn vestigator is acting in his or her capacity as an attorney andoutlined eight factors relevant to the Court’s determina- is not merely performing a business function. For example,tion, decisions from lower courts have not required that in Spectrum Systems International Corp. v. Chemical Bank,10all eight elements be present for the privilege to be recog- the New York Court of Appeals held that the report gener-nized. Moreover, state courts are not bound by the Upjohn 5 ated by a law firm retained to “perform an investigation anddecision and therefore may adopt the standard they deem render legal advice to Chemical regarding possible fraud byappropriate in privilege claims. Accordingly, while the its employees and outside vendors, and to counsel Chemi-attorney-client privilege analysis may inform a company’s cal with respect to litigation options” was privileged.11decisions regarding internal investigations, it does not Notably, the appellate division reviewed the documents inpresent a clear roadmap for ensuring confidentiality of an camera and concluded that the documents were not privi-internal review. leged because the purpose was to obtain business, not legal, advice.12 The Court of Appeals, however, held that “[t]Although there is considerable uncertainty surrounding he critical inquiry is whether, viewing the lawyer’s com-the application of the attorney-client privilege, particu- munication in its full content and context, it was madelarly with regard to in-house counsel generally, Upjohn in order to render legal advice or services to the client.”13established a clear recognition of the sanctity of the at- Even though the Court noted that it “is not bound by thetorney-corporate client relationship, which is particularly conclusory characterizations of client or counsel that therelevant to internal investigations.6 Indeed, some courts retention [of the law firm] was for the purpose of render-have recognized a self-evaluative privilege that protects ing legal advice,” the Court found that there was “no reasoninformation from discovery. Because the self-evaluative to disregard the sworn statements describing the engage-privilege is intended to promote confidential self-criti- ment as one for legal not business advice, which is evidentcism, it can be invoked to protect investigations, internal in the report itself.”14 The Court observed that the reportreviews, and recommendations for implementation of spe- did not include “recommendations for desirable futurecific practices from disclosure.7 However, most circuits business procedures or corruption prevention measures,have declined to recognize such a privilege at all, or have or employee discipline” but instead “relates and integratesbeen reluctant to apply the privilege.8 the facts with the law firm’s assessment of the client’s legalThus, in the absence of a statutory scheme to protect inter- position, and evidences the lawyer’s motivation to conveynal investigations, such as that which has been established legal advice.”15 As part of its decision, the Court of Appealsfor environmental audits,9 a corporation seeking an internal explicitly rejected a requirement that litigation be contem-investigation is best guided by the attorney-client privilege plated, that the report contain legal research, or even thatprinciples outlined in Upjohn and developed in subsequent the report be conclusive noting that “[l]egal advice oftencase law. The attorney-client privilege protects only com- begins – and may end – with a preliminary evaluation andmunications with an attorney when the attorney is acting a range of options.”16as such. Therefore, it should be clear that an attorney in- 21
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010In contrast, where attorneys have been retained to con- and limit distribution to as few people in the companyduct routine business investigations, the privilege will as possible.not apply. Many of these cases involve insurance com-pany investigations where the attorney’s role was merely Conclusiona part of the ordinary claim investigation. Just as courts 17 Despite the increasing need for proactive steps by corpo-will not find facts to be privileged merely because they are rations to identify and correct data security and privacyconveyed to an attorney, an investigation cannot gain priv- practices before a breach, no clear protection yet exists forilege solely by including an attorney in the process. such audits or investigations. As such, counsel and clients should bear in mind that materials prepared during and atSteps to Protect an Audit or Investigative the conclusion of an investigation or audit may be discov-Report erable at some point. Taking steps to clearly establish theIn light of the imprecise parameters of the attorney-client attorney’s role as providing legal advice and treating auditprivilege, an attorney undertaking an investigation or a materials and conclusions as privileged and confidential,corporation retaining a law firm to perform an internal however, should provide a basis on which to maintain theinvestigation or audit would do well to keep the following privilege.principles in mind: Dana Rosenfeld is a partner in the Washington, D.C. office1. The attorney or law firm should be retained expressly of Kelley Drye & Warren, and chair of the firm’s Privacy to provide its legal expertise, opinion, and counsel on and Information Security Practice. Kristin Hird is an the subject matter of the investigation. Written reports associate at Kelley Drye & Warren. Ms. Rosenfeld’s and should expressly address the client’s legal position and Ms. Hird’s practices focus on all facets of privacy and data state that legal advice is being provided. security, advertising and consumer financial issues at the federal and state level.2. When employees are directed to participate in inter- views with counsel they should do so at the instruction Endnotes of their corporate supervisors, should provide informa- tion within the scope of their employment duties, and 1 449 U.S. §383 (1981). should be informed that they are speaking to counsel so 2 Id. at 394-396. that the corporation may obtain legal advice. 3 572 F.2d 596 (8th Cir. 1977).3. Confidentiality should be maintained around the in- 4 449 U.S. at 394-395; see also Marc I. Steinberg & Ralph C. Fer- rara, Securities Practice: Federal and State Enforcement, 25A vestigation and around written work product. Drafts Securities Prac. Fed & State Enforcement § 11:4 (2009). of such reports should be kept to a minimum. Where 5 See Steinberg & Ferrara, supra note 5 (discussing Baxter Trave- written work product is generated, the company should nol Laboratories, Inc. v. Lemay, 89 F.R.D. 410 (S.D. Ohio 1981) designate and protect such an audit report, investiga- (privilege recognized because factors were “for the most part” satisfied even though one factor was not present); In re LTV Se- tive findings, or recommended steps as confidential 22
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010 curities Litig., 89 F.R.D. 595 (N.D. Tex. 1981) (relying on general recent high-profile data breaches have brought them to principles of Upjohn to recognize privilege for internal inves- the forefront. Data leaked onto P2P networks have in- tigation)). cluded financial information of a Supreme Court Justice,16 The work product doctrine may also be relevant to internal investigations if the investigation is related to pending or a document containing more than two dozen names of threatened litigation. congressmen under investigation by the U.S. House of7 See Michael Goldsmith & Chad W. King, Policing Corporate Representatives’ Ethics Committee,2 and many thousands Crime: The Dilemma of Internal Compliance Programs, 50 Vand. of tax returns and medical records of ordinary citizens.3 L. Rev. 1, 30-32 (1997) (discussing the origin and application of the self-evaluative privilege). There are a variety of ways by which organizations may8 See Goldsmith & King, supra note 8, at 32; Jewell v. Polar Tank- inadvertently leak confidential information onto a P2P ers, Inc., No. C 09-1669, 2010 WL 1460165 (N.D. Cal. Apr. 8, network. For example, an employee working from home 2010) (discussing Ninth Circuit and Supreme Court precedent against the recognition of a self critical analysis privilege and needs to access a document that includes sensitive per- noting that while some circuits have recognized the privilege, sonal information, such as Social Security numbers, on a majority have not). thousands of her employer’s customers. She e-mails the9 Background information on the EPA’s Audit Policy is available document to her personal e-mail account and saves it on at: her home computer’s hard drive. Unbeknownst to the em-10 581 N.E.2d 1055 (N.Y. 1991). ployee, her son has downloaded a P2P file-sharing program11 Id. at 1058. on her home computer to share music and videos with his12 Spectrum Sys. Int’l Corp. v. Chem. Bank, 558 N.Y.S.2d 486 (N.Y. friends. When her son next connects to the P2P network App. Div. 1990), modified, 581 N.E.2d 1055, 1059 (N.Y. 1991). on her computer, the document, she saved on her comput-13 Spectrum Sys. Int’l Corp., 581 N.E.2d at 1060-61. er containing the personal information of her employer’s14 Id. at 1061. customers is now available for download by thousands of other users connected to the P2P network. Unfortunate-15 Id. ly, once sensitive information is leaked to a P2P network,16 Id. there is no way to retrieve the data.17 See Vincent S. Walkowiak, The Attorney-Client Privilege in Civil Litigation: Protecting and Defending Confidentiality (4th Other examples of ways data can be lost on a P2P network Ed.), Ch. 12 at 276-280. include: employees may save confidential files to a thumb drive and then save those files to a home computer run-When Does an Organization Have ning a P2P program; employees download a P2P programa P2P Problem? directly to their work computer; or, an organization has chosen to utilize P2P file-sharing programs, but has notKristin Cohen configured its network correctly to protect confidentialThe data security risks associated with peer-to-peer (P2P) information. There are a myriad of other scenarios, all offile sharing have been known for some time, although which can lead to an organization’s confidential informa- 23
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010tion being leaked onto a P2P network, and the significant network users to download any files stored in these desig-costs that come with a data breach. This article describes nated areas. Inadvertent file sharing can happen when aP2P programs, considerations for organizations contem- person accidentally chooses to share drives or folders thatplating P2P programs, and ways to decrease the risks of contain sensitive information, or might save a private fileusing P2P programs. to a shared drive or folder by mistake, again making that private file available to others. Viruses and other malwareWhat Is P2P File Sharing and What Are the can change the drives or folders designated for sharing,Security Risks? putting private files at risk. Once a user on the P2P net-P2P programs make use of a technology that enables in- work downloads someone else’s files, those files cannot bedividual computers to form a network through which retrieved or deleted, and could be shared on the networkthey can connect to and communicate directly with other long after the files have been deleted from the originalcomputers running the same program. Consumers use computer that shared them. In addition, any securitythe programs to share music, videos, and documents, and flaws or vulnerabilities in the P2P file-sharing softwareto facilitate online telephone conversations. Commercial or on an organization’s network could allow for attacks onuses include the licensed distribution of games, movies, other computers on the, and software. P2P technology allows informationto move quickly and easily between individual consum- What Is the FTC Doing to Protect Consumersers’ computers because there is no centralized server from P2P Data Breaches?that needs to route network traffic. Instead, rather than The Federal Trade Commission (FTC or Commission) hasstoring files in a central location to which individual com- been concerned with the consumer risks associated withputers must connect to retrieve the files, P2P technology P2P file-sharing programs for some time. As far back asenables individual computers to directly share files stored 2004, the Commission hosted a public workshop on P2Pon the individual computers. This eliminates the need for technologies and issued a report detailing some of thosea central storage point and allows for faster file transfers. risks, including data security concerns.4 Since the work-In other words, P2P programs allow files to be shared more shop, Commission staff have worked with P2P file-sharingquickly, cheaply, and efficiently. BearShare, LimeWire, software developers to devise best practices to help pre-KaZaa, eMule, Vuze, UTorrent, and BitTorrent are all ex- vent consumers from inadvertently sharing personal oramples of P2P file-sharing programs. sensitive data over P2P networks.Efficient sharing of files through P2P programs, though, In July 2008, the Distributed Computing Industry Asso-bears the risk of inadvertently sharing sensitive, confi- ciation (DCIA) published voluntary best practices, whichdential information. P2P file-sharing programs allow included several useful software safeguards, including,computer users to make files available to other users on among other things:the P2P network. P2P users can designate the drives andfolders from which files can be shared, allowing other 24
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010• warnings to P2P program users and notices about the companies make smart choices to protect their confiden- number and types of files being shared; tial data from inadvertent sharing to a P2P network.8• default settings that limit what is shared upon installa- tion of the P2P program; What Can Organizations Do to Protect Themselves• controls for users to stop sharing any file or folder; The most important step an organization can take to• protections against any user attempt to share sensitive protect itself from a P2P data breach is to consider care- folders or file types; and fully the data security risks associated with the use of• simple means to disable the file-sharing functionality of P2P programs. Once an organization does this, there are the software.5 numerous steps that it can take to lessen the risk of inad-Beginning in February 2009, DCIA members began pro- vertent file sharing on P2P networks.viding Commission staff with reports outlining the ways First, organizations should make an informed choicein which they believe their P2P programs comply with about whether to ban or permit P2P applications on theirthose best practices, and, with the assistance of an in- networks. If an organization’s network has sensitive in-dependent P2P technology expert, FTC staff have been formation that is necessary to conduct business, it shouldassessing whether those members are complying with the weigh the benefits of using P2P applications against thebest practices.6 security risks associated with these programs. Once a de-In February 2010, the Commission also notified nearly 100 cision has been made, the business should create a policyorganizations that files containing personal information, regarding P2P programs and take the appropriate steps toincluding sensitive data about their customers, students, implement and enforce it in order to reduce the risk thatmembers and/or employees, had been shared from the sensitive information will be shared unintentionally.organizations’ computer networks, or those of service pro- The importance of training employees cannot be over em-viders, and are available on P2P networks to any users of phasized. Educating employees can help them to makethose networks. Much of the information exposed could be smart choices, and can go a long way toward preventingused to commit identity theft or fraud. These notices were P2P data breaches. This employee training should in-sent to both private and public entities, including schools clude information about P2P programs, the security risksand local governments, and included both small organiza- they present, and proper file naming conventions – onestions as well as large publicly-traded companies. At the that are less likely to disclose the types of information asame time the FTC sent out the notices, it also opened file contains. For example, file names should not includenon-public investigations into other companies whose terms like “ssn,” “tax,” or “medical.” If an organization ul-customer or employee information had been exposed on timately decides to allow P2P programs, effective trainingP2P networks.7 At the time these notices were announced, should demonstrate to employees how to restrict drives orthe FTC also released a new business education brochure folders to limit what other P2P users can view, emphasize– Peer-to-Peer File Sharing: A Guide for Business – to help 25
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010the importance of keeping files with sensitive information network to web sites that are used to download these pro-out of P2P shared drives and folders, and minimize the grams. This includes blocking access to sites that offeramount of sensitive information on computers using P2P free software downloads, as these sites are often sourcesprograms. of P2P programs. Additionally, organizations can use ad- ministrative security controls to prevent employees fromRegardless of whether an organization chooses to allow or installing unapproved programs on the organization’sban P2P file-sharing programs, it should take certain steps ensure that sensitive information on its network is se-cure. These steps include deleting sensitive information Detecting Unauthorized P2P Programs. There areit does not need, and restricting where sensitive infor- scanning tools that are available to help organizationsmation can be saved. The company cannot lose sensitive determine whether there are P2P programs on their net-information if it does not have it. For the information an work. These scanning tools can identify many (but notorganization must keep, it should consider adopting secu- necessarily all) P2P programs. Organizations should runrity measures that are reasonable and appropriate, taking these tools periodically to ensure P2P programs have notinto account the sensitivity of the information. There been downloaded onto their network.are many such options available, including application- Blocking Unauthorized P2P Traffic. Organizationslevel encryption. In the event confidential information is should also use tools to monitor and block access to P2Pshared on a P2P network, application-level encryption can file-sharing networks, such as intrusion detection systemshelp ensure that the data remains protected. Organiza- (IDS), intrusion prevention systems (IPS), and firewalls.tions must be sure, however, that the encryption keys are In addition, organizations should consider using tools tokept safe (and not available in drives or folders designated record file transfers. Reviewing these records and an orga-for sharing). nization’s activity logs is an important step in identifyingHow Does an Organization Effectively Ban traffic volume spikes that may indicate files being sharedP2P Programs? to or from the P2P networks. Network monitoring tools and techniques, such as flow reconstruction, can also beBanning the use of P2P programs on an organization’s net- helpful in identifying whether a network has P2P traffic –work requires a multi-pronged approach. It is not enough and possibly the names and contents of files that have beento simply state the policy. Instead, organizations must sent to and from the network using P2P programs. Finally,develop policies to prevent such programs from being in- certain data loss prevention tools that inspect files flowingstalled, to detect P2P programs that have already been from the organization’s network to determine whetherinstalled, and to block any network traffic associated with they contain certain types of sensitive information, likesuch programs. Social Security numbers, can be helpful.Preventing P2P Program Installation. Organizationscan prevent P2P programs from being installed by usingadministrative security controls to block access from their 26
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010Permitting P2P Programs: How to Keep Data their network remotely, rather than allowing them to useSafe their own personal computers. The computers the orga-Some organizations may ultimately decide to permit P2P nization provides should have the same security measuresprograms on their networks because of some of the ben- used at work to prevent, detect, and block unauthorizedefits discussed above. If they do, however, they should take file sharing to P2P networks.certain steps to prevent unauthorized file sharing. First, Companies should restrict the locations to which workorganizations should select one P2P program and provide files containing sensitive information can be saved or cop-it directly to authorized users from an internal server ied. They should allow those working remotely to access,rather than from a public download site. This will reduce use, and modify the files, but not to download them. Orga-the chance that the program will contain viruses or other nizations should also exercise due diligence to ensure thatmalware. In addition, they should be certain to update the anyone accessing their network has appropriate securityapproved P2P program often from a verified source to in- policies and procedures to address the risks associatedcorporate the latest security patches. with P2P programs.Companies should also use the tools and techniques dis- Conclusioncussed above to detect unapproved P2P programs on theirnetwork and to block any traffic associated with them. Data security risks associated with P2P programs can beFinally, they should block outbound traffic through the ap- significant, but there is much organizations can do to pro-proved P2P program to prevent sharing the types of files tect themselves and their data. There are significant coststhat most often contain sensitive information, includ- associated with poor data security, including, for example,ing files that have the suffixes .doc, .docx, .xls, .xlsx, .mda, a potential FTC enforcement action for unfair and decep-.mdb, .txt, and .pdf. If these are the types of files the orga- tive trade practices.9 There are, however, many simple andnization needs to share, it may want to consider another relatively low-cost measures that companies can take tofile-sharing program. ensure their data remains confidential. Kristin Krause Cohen is an attorney with the DivisionWhat About Remote Access? of Privacy and Identity Protection in the FederalMore organizations are allowing their employees, con- Trade Commission’s Bureau of Consumer Protection,tractors, vendors, and service providers to access their where her work focuses primarily on identity theftnetwork remotely. Organizations that allow this type and investigations into businesses’ compliance withof remote access may need to use additional security federal data security laws and regulations. Thismeasures. For example, remote access should only be per- article represents the views of the author and doesmitted through secure connections to the organization’s not represent the views of the FTC or any individualnetwork, like Virtual Private Network (VPN) software Commissioner or office.or Secure Sockets Layer (SSL). They should also considerproviding company computers to employees who access 27
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010Endnotes 9 See enf.html (listing of settlements of unfair and deceptive trade1 See Brian Krebs, Justice Breyer Is Among Victims in Data practice charges related to inadequate data security). Breach Caused by File Sharing,, July 9, 2008, available at content/article/2008/07/08/AR2008070802997.html. National Data Security Standards:2 See Jaikumar Vijayan, Leaked House Ethics document spreads Potential Implications of on the Net via P2P, Computerworld, October 30, 2009, avail- able at Preemption Leaked_House_Ethics_document_spreads_on_the_Net_via_ P2P. John Fedele3 See Nicole Lewis, P2P Puts Medical Data At Risk, Infor- A great deal of attention has been paid to the data security mationWeek, March 18, 2010, available at http://www. regulations promulgated by the Massachusetts Office of showArticle.jhtml?articleID=224000042. Consumer Affairs and Business Regulation – “Standards4 See FTC Staff Report, Peer-to-Peer File-Sharing Tech- for Protection of Personal Information of Residents of nology: Consumer Protection and Competition Issues, the Commonwealth” (Massachusetts Regulations).1 By June 2005, available at p2p05/050623p2prpt.pdf. all accounts, the Massachusetts Regulations – for which compliance was required by March 1, 2010 – represent one5 Voluntary Best Practices For P2P File-Sharing Software De- velopers to Implement to Protect Users Against Inadvertently of the most aggressive and comprehensive attempts to re- Sharing Personal or Sensitive Data, DCIA, available at http:// quire companies to adopt data security measures. At the pdf. same time that states such as Massachusetts have been ex- panding their data security laws, there also have been calls6 See, e.g., Letter from Mary K. Engle, Associate Director, Divi- sion of Advertising Practices, Bureau of Consumer Protection, to federalize data security legislation to establish a single, to Eric Klinker, CEO, BitTorrent, Inc. Regarding Inadvertent uniform security standard. Currently, there are several Sharing Protection Group Voluntary Best Practices Compli- ance, December 10, 2009, available at bills pending before Congress that would do precisely os/closings/091210bittorrenletter.pdf.; Letter from Mary K. that, and would likely preempt similar state legislation. Engle, Associate Director, Division of Advertising Practices, Bureau of Consumer Protection, to Jim Kott, President, Aba- This article examines whether such a uniform standard cast, Inc. Regarding Inadvertent Sharing Protection Group preempting state laws could actually lower the security Voluntary Best Practices Compliance, October 29, 2009, avail- standard that regulated entities would need to achieve in able at pdf. places like Massachusetts.7 FTC press release, Widespread Data Breaches Uncovered by FTC Probe, February 22, 2010, available at Massachusetts: An Example of State opa/2010/02/p2palert.shtm. Regulation8 FTC press release, See Peer-to-Peer File Sharing: A Guide for Although the vast majority of states currently have breach Business, available at ness/idtheft/bus46.shtm. notification laws, Massachusetts is the first to adopt broad- reaching, omnibus regulations concerning the manner in which companies protect their data. The Massachusetts 28
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010Regulations require every person that owns or licenses • Encryption of all personal information stored on laptopspersonal information about a resident of the state of Mas- or other portable devices, or transmitted across publicsachusetts to develop, implement, and maintain a written networks or wirelessly; andcomprehensive information security program, as well as to • Reasonably up-to-date versions of system security agentemploy an extensive list of computer system security mea- software, which must include malware protection andsures. Massachusetts is not the only state to pass a data reasonably up-to-date patches and virus definitions.3security law, but the Massachusetts Regulations containsome of the most specific direction regarding necessary These detailed minimum requirements set the Massachu-components of a compliance program. setts Regulations apart from existing federal regulations. In most cases, the Massachusetts Regulations, like theirNotwithstanding these specific directives, the Massa- federal counterparts, implement a flexible standard forchusetts Regulations also encompass a number of more assessing the type of security measures that a given com-general provisions akin to those found in the federal laws pany should adopt. They suggest, for example, that theand regulations, such as the interagency regulations pro- size, resources of, and type of data processed by a coveredmulgated under the Gramm-Leach Bliley Act (GLBA). For entity should be examined to determine the specifics ofexample, the Massachusetts Regulations require covered a reasonable data security program.4 Other parts of theentities to conduct due diligence when selecting service Massachusetts Regulations, on the other hand (such as theproviders to ensure the providers’ ability to protect data, encryption standards cited above), establish much clear-and also require them to monitor, evaluate, and adjust er “minimum steps.” And, whereas the Massachusettssecurity programs to changes in business operations or Regulations mandate that all covered entities encrypt ap-evolving threats.2 plicable data, federal regulations such as the InteragencyWhere the Massachusetts Regulations distinguish them- Guidelines issued pursuant to the GLBA only requireselves, however, is in the level of detail they contain banks to consider whether encryption is appropriate.5regarding the security features that covered entities that Thus, it appears that the Massachusetts Regulations re-store or transmit personal information electronically quire companies to restrict access to personal informationmust incorporate into their computer systems. These se- much more closely than existing federal law. If there iscurity measures include, among other things: value in this, the question is whether the value would be• A reasonably secure method of assigning and selecting lost if data security standards are nationalized. passwords, or use of unique identifier technologies, such as biometrics or token devices; Recommendations of The Identity Theft Task Force• The assignment of unique identifications and passwords In 2006, President Bush issued an executive order estab- to each person with computer access; lishing the Identity Theft Task Force.6 The order assigned a total of 15 federal departments and agencies the task of 29
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010developing a national strategy to help address the growing For example, H.R. 2221, sponsored by Rep. Rush (D-IL),concern about identity theft and the safety of individuals’ would require the Federal Trade Commission (FTC orpersonal information. In September 2008, the Task Force Commission) to promulgate security regulations thatissued a number of recommendations. would be applicable to businesses subject to the FTC’s ju- risdiction.8 Such regulations would likely require:Among the shortcomings in U.S. data-security regulationthat the Task Force identified was the absence of a single, • A security policy with respect to the collection, use, sale,national data security standard. The Task Force observed other dissemination, and maintenance of personal in-“a patchwork of state laws and sector-specific federal laws formation;and regulations that are varied and have uneven applica- • The identification of an officer or other individual as thetion.”7 As a solution, the Task Force proposed national point of contact with responsibility for the managementdata security standards that would apply to all private en- of information security;tities that hold sensitive consumer information. The TaskForce did not, however, offer much in the way of specific • A process for identifying and assessing reasonablyguidance as to what these standards should be. Instead, foreseeable vulnerabilities in the system, and regularthe Task Force opined that whatever regulations were monitoring for breaches;adopted should mandate that covered entities establish • A process for addressing vulnerabilities identified dur-“reasonable safeguards for sensitive information.” Not ing assessments; andsurprisingly, the Task Force also recommended that anyregulations allow for “flexibility to account for, among oth- • A process for disposing of personal information.9er things, the different sizes and types of entities coveredand the type of data at issue.” Another bill, S. 1490, sponsored by Sen. Leahy (D-VT), provides more detailed guidance than H.R. 2221, but ul-Proposed Federal Legislation timately does not impose obligations not already foundA number of federal legislators have heeded the recommen- in existing federal legislation. Instead, S. 1490 extendsdation of the Task Force and are now seeking to institute a the reach of federal data security law to businesses thatfederal standard for data security. Various data security maintain sensitive personally identifiable informationbills have recently been introduced, and although differ- in electronic form on more than 10,000 U.S. persons.10ences exist among the bills, they are generally very similar Among the obligations it would impose on businesses are:with respect to the data security standards they propose. • A risk assessment designed to identify vulnerabilities;In all cases, the standards are flexible (as suggested by theTask Force), and lack the specificity of the Massachusetts • A security program to control access to sensitive infor-Regulations. mation, detect attempted unauthorized access to that information, properly dispose of sensitive data, and oversee service providers’ access to data; 30
  • The Secure Times VOLUME 5, NO. 1 | SPRING 2010• A security training program for employees; sachusetts Regulations, but instead would be subject to a more flexible standard that, because of their size, might ac-• Regular vulnerability testing; and cept a lower level of data protection.• Review of the efficacy of the security program in light of Without question, there are advantages to a national data changing circumstances.11 security standard, such as more predictability for busi-Another draft bill, recently circulated by Rep. Boucher nesses subject to only one regulator and lower compliance(D-VA), would likewise impose only general data security costs. There are also advantages to evaluating securityrequirements on covered entities to “establish, implement, obligations with respect to the factors set forth in federaland maintain appropriate administrative, technical, and law, such as resources, and the nature of the particularphysical safeguards.” 12 And again, the standard for as- business. However, some consideration should be givensessing compliance would be based on a sliding scale that to whether establishing a national minimum standard,considers “the size and complexity of the covered entity, while still allowing states to impose more rigorous regu-the nature and scope of the activities of a covered entity, lation, would offer any additional benefits. Data securitythe sensitivity of the covered information, the current regulation is still relatively new, and there may be value instate of the art in administrative, technical, and physical permitting states to experiment with the manner in whichsafeguards for protecting information, and the cost of im- they require businesses to protect consumer data.plementing such safeguards.”13 John Fedele is an associate in Baker & McKenzie’s Washington, D.C. office where he is a member of theConclusion Antitrust and Litigation groups. His practice focuses onThe proposed federal legislation seems to offer nothing counseling clients on a broad range of competition issuesnew with respect to data security standards, with one ex- and assisting clients respond to government investigationsception: the proposed federal legislation would preempt in a variety of areas, including data security.state data security regulation. While perhaps more oner-ous, the Massachusetts Regulations arguably offer clearer Endnotesdirectives than existing or proposed federal regulation.By mandating preemption, the federal bills preclude any 1 201 Mass. Code Regs. 17.00 et seq.assessment of whether the specific guidance contained in 2 See, e.g., Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 12 C.F.R. § 30, Appendixthe Massachusetts Regulations provides advantages over B, Part III D, E.existing federal standards. In addition, if passed, the pro- 3 201 Mass. Code Regs. 17.04(1)(b), 2(b), (3), (5), (7).posed legislation would likely lower the level of securitydemanded from businesses, particularly smaller business- 4 See e.g., Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 12 C.F.R. § 30, Appendixes, now subject to the Massachusetts Regulations. Small B; FTC Safeguards Rule, 16 C.F.R. § 314.businesses would no longer need to adopt the universal 5 12 C.F.R. § 30, Appendix B, Part III(C)(1).security procedures and practices included in the Mas- 31
  • The Secure Times VOLUME 5, NO. 1 | SPRING 20106 Executive Order 13402, May 10, 2006.7 The President’s Identity Theft Task Force Report (Sept. 2008) at 13.8 Data Accountability and Trust Act, H.R. 2221, 111th Cong. § 4 (2009).9 Id.10 Personal Data Privacy and Security Act of 2009, S. 1490, 111th Cong. § 301 (2009).11 Id.12 Draft available at stories/Privacy_Draft_5-10.pdf.13 Id. 32