Legal & Security Risks in Off-Network Technology


Published on

White paper discussing the risks associated with managing off-network IT devices.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Legal & Security Risks in Off-Network Technology

  2. 2. Life Cycle Security for IT Assets You may republish excerpts from this eBook as long as they are accompanied by an attribution link back to This work is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unites States License. You are free to share, copy, distribute and transmit the work under the following three conditions: 1. Attribution — You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). 2. Noncommercial — You may not use this work for commercial purposes. Thanks for downloading this eBook. You may also share any thoughts or questions directly by emailing at: Copyright ©2013 Brass Valley LLC FRONT PAGE 3. No Derivative Works — You may not alter, transform, or build upon this work. To view a copy of this license, visit or send a letter to: Creative Commons, 171 Second St, Suite 300, San Francisco, CA 94105 USA w w w.B r a s s Va l l e 2
  3. 3. Life Cycle Security for IT Assets One Man’s Trash... The Same Man’s Liability Michael Lightfoot sipped a sweating can of diet Pepsi and set it down between a pile of documents and his cell phone. His office door popped open and Christy, his secretary, leaned her head in, “Mr. Lightfoot there is a Mr. Sampson here to see you. He didn’t have an appointment but he is freaking out in the waiting room.” Michael nodded to let him in. Bill Sampson bustled in a minute later sweating as much as the can of soda. In a frantic tone he recounted his morning. “I had been at work for about an hour and I was going through emails from this weekend when a sheriff walks up. There was his badge and a big gun, with a sour look on his face. My stomach plummeted. I thought he would arrest me right then in front of my whole office. Instead he hands me a subpoena and tells me I’ve been charged FRONT PAGE with what amounts to criminal negligence. I read on and find out that someone got hold of a computer that we sent out to be recycled and got a truck load of information off of it, customer credit info, employee medical records and they say I’m liable.” Indeed you may be, Bill, I thought. If Bill didn’t dispose of his old computer equipment properly and doesn’t have the evidence to back it up in court, he will be found guilty. “How would I have evidence for that?”, he bellowed. “Am I going to jail? Will the fines bankrupt my business?” “Well, let’s see what you have.” w w w.B r a s s Va l l e 3
  4. 4. Life Cycle Security for IT Assets Table of contents INTRODUCTION Laws governing the security of Off-Network Devices 7 The Undeniable Trend Toward Increasing Regulation and Enforcement 9 Off-Network Devices That Store Sensitive Information 12 Information Stored on Off-Network Devices 13 What is my Liability? 14 Ramifications of Data Breaches 18 Protecting Off-Network Devices? 21 HOW TO GET STARTED 25 About Brass Valley 26 About Michael Lightfoot 26 Footnotes FRONT PAGE 5 27 w w w.B r a s s Va l l e 4
  5. 5. Life Cycle Security for IT Assets Introduction According to a Ponemon study, 70% of data breaches come from off-network equipment. This is equipment that has been decommissioned, misplaced, or stolen. However, the vast majority of corporate budgets are spent on protecting on-line assets, although the law makes no distinction between on-line and off-line. Regardless of the network status, the company bears responsibility for protecting sensitive information. 70% The global market continues to demand better and faster access to the necessary information to respond to the market changes. Consequently, organizations are continuously implementing state of the art devices and deactivating “obsolete” equipment. In working with computers and data security for the last 30 years at corporations such as Allstate Insurance and as attorney for Research and Development at Motorola, we witnessed this process first hand. data breaches from off-network equipment. FRONT PAGE w w w.B r a s s Va l l e 5
  6. 6. Life Cycle Security for IT Assets But what becomes of that decommissioned technology? What are the legal requirements when you retire this equipment? Do you have a process for determining what data is on these devices? How do you securely and properly dispose of these devices? What could you prove in a court of law and would your proof be sufficient to be admissible? Every person within the organization must have an increased awareness of the threat to data security. The threat is real and takes many forms including: • Consumer fraud through identity theft • Exploding corporate espionage intent on embarrassing your organization • Disgruntled employees • Organized crime • State sponsored spying in search of financial and/or competitive advantage “ The dirty little secret is that most breaches are occurring off-network. ” FRONT PAGE Headlines such as those involving the NSA and data security privacy are seen daily and are usually related to on-line activities. The dirty little secret is that most breaches are occurring off-network. Think about it, if you really wanted to acquire sensitive data, would you rather attack the company where they have their highest level of defense or would you rather attack where they are weakest? w w w.B r a s s Va l l e 6
  7. 7. Life Cycle Security for IT Assets Laws governing the security of Off-Network Devices Dependent on your industry, the laws which govern how off-network devices are managed could include: • HIPAA - Healthcare • Sarbanes-Oxley – Financial services • EPA regulations – Environmental regulations • Federal Communications Commission regulations – Broadcast providers, phone service providers • PCI regulations - Credit card data • FDA (21 CFR Part 11) - Pharmaceuticals • Gramm Leach Bliley – Banking • PII - Personally identifiable information** 1 ** For legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the legal term is being used. FRONT PAGE any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and w w w.B r a s s Va l l e 7
  8. 8. Life Cycle Security for IT Assets 2 any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. So, for example, a user’s IP address as used in a communication exchange is classified as PII regardless of whether it may or may not on its own be able to uniquely identify a person. • State-by-state laws • Federal legislation As you can see sometimes regulations may overlap. For example a Healthcare agency that processes credit cards may be governed under both HIPAA and PCI regulations. FRONT PAGE w w w.B r a s s Va l l e 8
  9. 9. Life Cycle Security for IT Assets The Undeniable Trend Toward Increasing Regulation & Enforcement Governments at the State and Federal levels have recognized the growing exposure related to information security. As a result, to combat these threats, there are growing mandates to control and access our data. Evidence of this trend is that many of these mandates are finding their way in legislation not originally intended to address data protection. EXAMPLE 1 Let’s take a look at what has happened in the Healthcare industry with HIPAA, which is the first of many industries to be effected by this type of regulation in the near future. Under the American Recovery and Reinvestment Act of 2009, commonly known as the Stimulus Bill, States Attorneys General were empowered to prosecute HIPAA violations. So what was once only a Federal violation has now become a violation at both the Federal and State level. 1 FRONT PAGE w w w.B r a s s Va l l e 9
  10. 10. Life Cycle Security for IT Assets EXAMPLE 2 In March, 2013 the U.S. Department of Health and Human Services (HHS) moved forward to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Their Omnibus Final Rule greatly enhanced a patient’s privacy protections, provided individuals new rights to their health information, and strengthened the government’s ability to enforce the law. The Omnibus Rule marked the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented in 1996. Among other things, the Omnibus Final Rule revised the existing rule on breach notification for unsecured protected health information under the HITECH Act. The rule added language to the definition of a breach to identify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or Business Associate demonstrates that there is a low probability that the protected health information has been compromised. The rule also removed the harm standard and modified the risk assessment in order to focus objectively on the risk that the protected heath information has been compromised. FRONT PAGE w w w.B r a s s Va l l e 10
  11. 11. Life Cycle Security for IT Assets The more objective factors that must be considered when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary, are also identified in the Omnibus Final Rule. 2 From HIPAA and other regulations we see that electronic devices that store or access private data (in particular health-related and financial-related data) require companies that handle such data to be extremely cautious with this data or risk loss of revenues, negative customer impact (which can trigger lawsuits against you as we will see below) and the bad publicity and its impact on an organization’s reputation. The potential consequences of not being able to prove you have performed due diligence in the protection of sensitive information can be severe. “ The potential consequences of not being able to prove due diligence in the protection of sensitive information can be severe. ” FRONT PAGE w w w.B r a s s Va l l e 11
  12. 12. Life Cycle Security for IT Assets Off-Network Devices That Store Sensitive Information Below is a list of some of the types of equipment that will go off-network at some point in their lifecycle: • PCs and laptops • Tablets • Servers • Cloud • Phone systems • Aviation electronics • Two-way radios • Medical Devices • Spare parts • Lottery Equipment / Gambling Systems • Repaired & Broken Equipment • Wi-fi devices / networking devices • Network devices • Telecom systems, VOIP, Digital Phone systems, PBX’s • Copiers • Camera equipment o Surveillance o Security o Sensors • Smart phones o Company owned/supplied (Paid for?) o Personal (Bring your own device) FRONT PAGE • Storage arrays • Broadcast audio video equipment for TV/Movie industry • Tape libraries/ tape drives • Banking equipment imaging systems / ATMs/etc. w w w.B r a s s Va l l e 12
  13. 13. Life Cycle Security for IT Assets Information Stored on Off-Network Devices Off-Network Devices can often contain proprietary internally developed software, network access information that could be used by hackers to identify network routing information and other passwords, confidential client information like social security numbers, patient information, personnel information, and trade secrets. For example a phone system may have user information on it, a copier may have copies of your most sensitive data stored in its hard drive, networking devices contain IP addresses and passwords that could allow an outsider to penetrate your network. FRONT PAGE w w w.B r a s s Va l l e 13
  14. 14. Life Cycle Security for IT Assets What is my Liability? A common misconception is that liability is transferred with the transfer of title to the equipment. However, in reality, liability remains with the owner of the data (for the life of the data) even if that data is no longer in your control! Liability is integrated with the data! When you sell equipment or transfer it to an asset disposition provider, they have possession, not liability even after transfer of title has occurred. Your specific liability depends on your role in the company, industry (i.e. healthcare, financial institutions, people that handle credit card information, etc.), and what type of data you have, as well as how you handle the management, storage, and disposal of the device. Here are some examples: Liability is integrated with the data! FRONT PAGE Public Companies Public companies are subject to the Sarbanes-Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted July 30, 2002), which through its 11 titles, or sections, (ranging w w w.B r a s s Va l l e 14
  15. 15. Life Cycle Security for IT Assets from additional corporate Board responsibilities to criminal penalties), clearly places the legal responsibility for accurate financial reporting (including information security and valuation), squarely on the shoulders of senior management, including the potential for personal criminal liability for CEOs and CFOs. Recent derivative litigation against the directors (i.e. Walt Disney Company, etc.) suggests that the plaintiffs will attack by a showing of bad faith by directors in their failure to exercise due care. Financial Institutions According to the Federal Register 3 all financial institutions must “develop, implement, and maintain a comprehensive written information security program that contains administrative, technical and physical safeguards.” Banking and financial institutions must also “take reasonable steps to assure itself that any third party to which it discloses customer information has safeguards that are adequate to fulfill the representations made by the financial institution regarding the security of customer information or the manner in which it is handled by third parties.” FRONT PAGE w w w.B r a s s Va l l e 15
  16. 16. Life Cycle Security for IT Assets Intellectual Property Liability Often overlooked in data security discussions, Intellectual Property (IP) protection, especially regarding patents and trademarks, has become increasingly important in most industry sectors in the United States. Information security in protecting and valuing this IP (including off-line equipment) is one of the key technical and legal issues challenging corporations today. Yet, IP is an often overlooked component of Board strategy, performance and risk. Director Liability Directors need to understand how intellectual property relates to corporate strategy and have processes in place to make certain that critical issues related to the protection of intellectual property are brought to the Board’s attention in a timely manner. In certain circumstances, federal intellectual property laws hold officers and directors liable for their corporation’s infringing acts. FRONT PAGE w w w.B r a s s Va l l e 16
  17. 17. Life Cycle Security for IT Assets Generally a court will respect a Board’s decision unless the directors are: • “interested” or lack independence relative to the decision; or • fail to act in good faith; or • act in a manner that cannot be attributed to a rational business purpose; or • reach their decision by a grossly negligent process It is important to understand when a corporation’s liability can become a personal liability. “ FRONT PAGE It is important to understand when a corporation’s liability can become a personal liability. ” The laws governing licensing, copyrights, trademarks and patents each deal with the issues of liability for officers and directors slightly differently. Directors need to clearly understand the circumstances and types of activities that can result in their being held personally liable for infringements, so that corporate directors (and officers) can conduct themselves appropriately and obtain proper insurance and indemnification agreements. w w w.B r a s s Va l l e 17
  18. 18. Life Cycle Security for IT Assets Ramifications of Data Breaches The liability that can arise from breaches of data security is a growing legal trend where lawsuits are filed against companies when data, that is considered proprietary or is classified as personal identifiable information, is made public. When a customer, vendor, or patient is harmed through the misuse of their data, your company remains liable. The liability is generally dictated by a legal theory of damages known as the “Learned Hand Formula for Damages.” This legal liability model dictates that: 1 2 FRONT PAGE If protecting the data from damages was less costly than the potential damage that could be done from the loss of the data multiplied by the probability of the data loss occurring. Then the party that was negligent in its duties to protect that data is liable for damages. w w w.B r a s s Va l l e 18
  19. 19. Life Cycle Security for IT Assets The graph below illustrates these above points. DUE DILIGENCE Under Controlled TR EN T LIABILITY ZONE EA TM Achieved Compliance “Reasonable & Appropriate” O RI LIABILITIES F SK Risk Increases Without “Due Diligence” COMPLIANCE LINE Security procedures Over Controlled PERFECT SECURITY RISK MANAGEMENT MATURITY FRONT PAGE w w w.B r a s s Va l l e 19
  20. 20. Life Cycle Security for IT Assets $1,000 per record: The average cost in a medical data breach. 25,000 records per incident: The average number of records stolen. $1.5 million per breach event: Damages Assuming Liability to the company. This figure only accounts for money paid in damages and does not include legal fees, time lost, reputation damage and other factors. There are currently lawsuits against the Veterans Administration (just settled for $400,000), and a Blue Cross lawsuit asking $4 billion in damages. Both are examples of the type of liability an organization might be subject to should they fail to be compliant to the regulations and laws to which they are subject. In these examples, the regulations are HIPAA and the recently passed, March 2013, HIPAA Omnibus regulation. Sarbanes-Oxley, a law passed after the Enron fraud, provides for criminal penalties to CEOs, CFOs and others that execute documents where the information turns out to be, through negligence or criminality, false. See “One Man’s Trash...The Same Man’s Liability” (page 3) for a brief example. Sarbanes-Oxley also requires protection of intellectual property (IP) such as trade secrets, computeraided drawings, formulas, patents, credit card data, and financial accounting information, which more and more are in electronic formats. FRONT PAGE w w w.B r a s s Va l l e 20
  21. 21. Life Cycle Security for IT Assets Protecting Off-Network Devices? Good security practices should remain in effect regardless of the fact that the device (system, component, server, etc.) has outlived its usefulness and is removed from the network. If ever there was a place where an ounce of prevention was worth a pound of cure, this is it. Our goal here is to first prevent unauthorized access to sensitive data, and, secondly, to create a trail of documentation that validates we performed due diligence in our handling of the sensitive data. Controlled processes and documentation are central to this goal. This means that internally you need to have written processes that are monitored with a QA program and an asset disposition vendor that gets it when it comes to data security and that will be admissible in a Court of law. FRONT PAGE w w w.B r a s s Va l l e 21
  22. 22. Life Cycle Security for IT Assets Some factors to keep in mind as you develop your process are: Remember, employee theft remains the number one risk factor in any organization! Storage: Are off-network devices containing sensitive information stored in the same area as new equipment, or maybe in a closet for convenience, potentially exposing them to a larger user community and increasing the possibility of theft or inappropriate access to the, as yet, un-scrubbed confidential data? Are there controls in place to restrict access to the equipment and log who has accessed the equipment? Pre-deployment: As a foundation of all that follows we recommend inventorying incoming equipment with the use of a database that references an industry standard nomenclature and adheres to that standard. This will save countless hours if reconciliation is required in the future as well as provide evidence of having performed due diligence if a breach occurs. Decommissioning: When decommissioning assets, best practices include placing them in a quarantined room with restricted and monitored access. If you are not destroying sensitive information on site, a full audit of your disposition provider is highly recommended. FRONT PAGE w w w.B r a s s Va l l e 22
  23. 23. Life Cycle Security for IT Assets “ In the near future the public will look at companies who are negligent in protecting sensitive information with the same contempt as companies that pollute the environment. ” R D’Amico, President Brass Valley FRONT PAGE If you are destroying sensitive information internally, many times data is hidden in components other than hard drives or sometimes the hard drives are difficult to find. For the highest levels of security, where sensitive information cannot leave the premises, the room should be equipped with all tools necessary to identify where data resides and destroy the data. This includes a searchable database that can be accessed by on-site personnel to locate and destroy sensitive information. QA programs must be in place regardless of where the data is destroyed to ensure the quality of the work performed. If sending decommissioned assets to an asset disposition provider, take the time to have an accurate inventory of what is leaving your building and reconcile that with the reports they produce. Do not provide the list of equipment to the asset disposition provider in advance. Have a process in place to address discrepancies. Documentation: Documentation is used to prove compliance from an environmental and data security perspective. The quality of your documentation and your ability to produce it in a timely matter will greatly impact the outcome of an audit if something were to go wrong. w w w.B r a s s Va l l e 23
  24. 24. Life Cycle Security for IT Assets An example of proof of network equipment sanitization would be hyper-terminal print screen shots. Video monitoring of shredding may be recommended for your industry. Best practices include an auditable chain of custody that proves possession two levels downstream from your facility. Quality reports for each lot as well as proof of data destruction in a verifiable electronic format are recommended. An example of proof of network equipment sanitization would be hyper-terminal print screen shots. Video monitoring of shredding may be recommended for your industry. Plan for the worst: Have a response plan in place for what will happen if something goes wrong. Find out what you’ll need to do, who will need to be notified, what documentation you will need, what your vendor will do to support you, and what does your insurance cover as well as where does your insurance coverage fall short. Insurance: Many times asset disposition provider insurance is insufficient to protect you or protects them and leaves you vulnerable. Review the insurance your Asset Disposition provider carries, understand what is covered, what is not, and who is covered. A good policy will cover cyber liability, victim notification and credit monitoring, and unlimited attorney fees to name a few. FRONT PAGE w w w.B r a s s Va l l e 24
  25. 25. Life Cycle Security for IT Assets How to get started Many companies struggle with how to get started in addressing security for off network devices. Here are three simple steps you can take to get you headed in the right direction: 1 2 Consult with an attorney experienced in data security and technology law to position your company as best as you can so you are prepared if something goes wrong. 3 FRONT PAGE Have an assessment provided by an IT lifecycle management company like Brass Valley. With this assessment you will learn where you are exposed and how to close the gaps. Consult with an insurance provider who is experienced in cyber security to make sure you have adequate insurance to protect you and your company if you have to make a claim. The insurance provider can give you guidance. w w w.B r a s s Va l l e 25
  26. 26. Life Cycle Security for IT Assets About Brass Valley is an IT Asset Lifecycle Service provider and industry leader in client protection practices. We work with clients and industries such as financial services, healthcare, and the Fortune 1000 where protection of sensitive information is a high priority. To learn more about Brass valley visit us at 425 Fortune Blvd. Milford, MA 01757 877-396-2872 FRONT PAGE w w w.B r a s s Va l l e 26
  27. 27. Life Cycle Security for IT Assets Footnotes 1 Under the Act, Subtitle D §13410 specifically provides for improved enforcement from the State’s Attorney Generals (SAG).SAG may bring civil actions for alleged violations of the Privacy in Security on behalf of state residence. The ARRA/HITECH portions of the legislation institute federal breach notification requirements. The Bill extends liability under federal rules to Business Associates Covered Entities. The potential consequences of not protecting privacy or security can be severe. Health information is defined as “including demographic information collected from individual if it is created or received by a healthcare provider, health plan, employer, or health care clearinghouse…” Privacy Rule is defined in 45 CFR, part 164, titled “Security and Privacy”. Subpart D, among other things: o Establishes standards for use and disclosure of Personal Health Information (PHI) by covered entities o Establishes individual’s rights with regard to their PHI o Sets out general rules that covered entities/business Associates may only use and disclose PHI as permitted or required by the HIPAA privacy rule o Provides standards explaining permitted and required uses and disclosures o Outlines administrative requirements for covered entities. o Addresses security standards and implementation specifications to prevent electronic PHI (ePHI) from unauthorized disclosure or access o Defines three types of safeguards that covered entities are required to have in place to protect ePHI: o Administrative o Physical o Technical 2 The factors that must be considered as part of the risk assessment are: (1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) The unauthorized person who used the protected health information or to whom the disclosure was made; (3) Whether the protected health information was actually acquired or viewed; and (4) The extent to which the risk to the protected health information has been mitigated. Depending on the circumstances, other factors may also be considered as part of the risk assessment. 78 Fed. Reg. 5566 (January 25, 2013). 3 FRONT PAGE Federal Trade Commission CFR Part 314 Standards for Safeguarding Customer Information; Final Rule. w w w.B r a s s Va l l e 27