Your SlideShare is downloading. ×
0
Data Breach Notification Laws
Time for a Pimp Slap
10/21/2011
Steve Werby
Chief Information Security Officer
University of...
Pimp slap
 A powerful, backhanded slap to the face
@stevewerby
 Favorite color: Cadet blue
 Hobby: Stalking divorcees under age 25
 Favorite number: 6.0221415 × 10^23
 P...
 Infosec since ’99 - ran 2 IT consultancies ’99-’04
 Analyst at a university
 Infosec since ’99 - ran 2 IT consultancie...
Today’s menu
 Incidents I was involved in
 Data breach notification laws - what and why
 Issues
 Alternatives to achie...
Definitions
 Exposed
 Made accessible to unauthorized person
 Breached / compromised
 Access gained by unauthorized pe...
Getting to know you
 Received a data breach notification?
 Been involved in handling one?
 Investigated the incident th...
Example exposures…maybe
 Data sanitization vendor’s driver sold laptops
 Medical provider’s computers stolen
 Grade pro...
$
 Sony - $10s of millions
 Those I’ve been involved in – 5-6 figures
 3rd-party forensic analysis - $222,000
 Legal consultant - $100,000
 Communications consultant - $50,000
 Notificatio...
2 recent examples
 TRICARE
 Stanford Hospital
Tip of the iceberg
 Only a tiny fraction of data exposures are disclosed
In the beginning
 Enacted in 2002, effective in 2003
 Limited to data related to financial identity fraud
Motivation
 Perception that breaches of electronic data
involving personally identifiable information was
increasing
Increase in electronic breaches?
 Actual increase not verifiable
 Doesn’t consider growth in electronic data storage
 S...
Rationale
 Provides necessary information for affected
individuals to make informed decisions to mitigate
impact
 Negati...
Boom goes the dynamite
Types of harm
 Death and physical harm
 Financial loss
 Loss of $, loss of property, property damage
 Credit score dam...
AYCE notification
 Death and physical harm
 Murderers, violent offenders, mentally unstable
 People with contagious dis...
Data breach notification laws
 Federal laws
 Health records – HITECH Act (via HHS and FTC)
 Financial records – GLBA, F...
Data breach notification laws
Data breach laws - future
 Federal laws
 Existing laws are in flux
 Overarching national law could be coming
 State+ l...
Components
 Who the law applies to
 Types of data covered
 State/format of data covered
 What constitutes a breach
 D...
Who the law applies to
 Entity || individual May specify type
 Conducts biz in state
|| Maintains data of residents of s...
Types of data covered
 (First name || first initial) && last name
+
(SSN || DL || unique government ID)
||
((Financial ac...
State/format of data covered
 Electronic In some cases paper too
 Unencrypted
|| Encrypted, but key breached
|| Not reda...
What constitutes a breach
 Unauthorized access and acquisition that
compromises
security || confidentiality || integrity
...
Disclosure obligations - who
 Notify affected individual
|| the affected owner/licensee
 Notify Office of Attorney Gener...
Disclosure obligations - when
 Without reasonable delay
Sometimes immediately || within specific
timeframe
 Can delay to...
Disclosure obligations - method
 Written notice
 Email notice if email address is valid
&& individual permits communicat...
Disclosure obligations - detail
 General incident overview
 Type of personally identifiable information
 Steps that wil...
Non-compliance ramifications
 Attorney general may bring action to
 Obtain actual damages
 Seek civil penalty for willf...
Exceptions
 Notification not required if affected individuals
unlikely to experience fraud as a result of incident
 Some...
Data breach notification laws
Issues – scope
 Not comprehensive enough
 Mostly electronic – 30% of reported breaches involve
paper; some reports indic...
Issues – ambiguity
 Reasonable
 Without reasonable delay
 Likely
 May result in harm
 Likely to result in harm
 Vali...
Issues – difficulty complying
 Inconsistencies
 Follow each state’s requirement or adhere to the
state’s requirement tha...
Issues – inequitable treatment
 Single incident could result in
 Notification not required for some individuals
 Some i...
Issues – miscellaneous
 Ways of identifying a person are myopic
 Username, email address, phone number
 Don’t always kn...
Issues – incentives
 Avoidance $ < notification $ + notification impact
$?
Issues - rationale reality
 Provides necessary
information for affected
individuals to make informed
decisions to mitigat...
Issues - rationale reality
 Many incidents are people failures
 Affected individuals’ memories are short
 Orgs’ efforts...
Pimp slap
Alternatives
Plan 1
 Play Angry Birds and just don’t sweat it
Plan 2
 Fine violators $100 billion
Plan 3
 Make all information public
Alternatives – the elements
 Focus on preventing unauthorized access
 Focus on preventing misuse of data
 Encourage ind...
Prevent unauthorized access
 Mandate or encourage
 Limiting access to unauthorized personnel
 Limiting use to authorize...
Prevent misuse of data
 Focus on preventing misuse of data
 Make it more difficult to access financial accounts
 Make i...
Encourage individual behavior
 Preventive
 Use unique passwords everywhere
 Use unique usernames (I don’t eat my own do...
Improve breach notification laws
 Increase scope beyond financial fraud risk
 Oh, Canada!
 And include all types of org...
Improve breach notification laws
 Consistent reporting format
 Increase information that’s shared
 Reduce PR speak
 Cl...
Improve breach notification laws
 Tiered notification
 Tier 1 – track internally, make available for audit,
notify inter...
Questions and discussion
?
Contact me
 <myfirstname>@<mylastname>.com
 @stevewerby
 3 blocks from 29.431057° N, 98.490522° W
Upcoming SlideShare
Loading in...5
×

Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werby at BSides Missouri 2011

340

Published on

Data breach notification laws have proliferated worldwide, beginning with California’s law, which was enacted nearly a decade ago. As a result, citizens are being bombarded by breach notifications and media coverage of data exposures has skyrocketed. But are these increasingly onerous laws leading to stronger information security and better decisions by citizens or are they backfiring? I’ll compare existing laws, analyze data breach notifications and explore the effects of these laws, including feedback from citizens and information security professionals. By comparing data exposure disclosure to other negative events that don't require disclosure and sharing alternate disclosure models, I'll leave the audience questioning whether there's a better way.

Published in: Law, Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
340
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
16
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werby at BSides Missouri 2011"

  1. 1. Data Breach Notification Laws Time for a Pimp Slap 10/21/2011 Steve Werby Chief Information Security Officer University of Texas at San Antonio
  2. 2. Pimp slap  A powerful, backhanded slap to the face
  3. 3. @stevewerby  Favorite color: Cadet blue  Hobby: Stalking divorcees under age 25  Favorite number: 6.0221415 × 10^23  Pet’s name: Cujo  Favorite movie: Santa with Muscles  Last 4 of my SSN: 6497  Place of birth: Delta City
  4. 4.  Infosec since ’99 - ran 2 IT consultancies ’99-’04  Analyst at a university  Infosec since ’99 - ran 2 IT consultancies ’99-’04  Analyst at a university, CISO at state agency @stevewerby  Infosec since ’99 - ran 2 IT consultancies ’99-’04  Analyst at a university, CISO at state agency, CISO at a university  Infosec since ’99 - ran 2 IT consultancies ’99-’04  Analyst at a university, CISO at state agency, CISO at a university^2
  5. 5. Today’s menu  Incidents I was involved in  Data breach notification laws - what and why  Issues  Alternatives to achieve desired goal
  6. 6. Definitions  Exposed  Made accessible to unauthorized person  Breached / compromised  Access gained by unauthorized person  Misused  Used by authorized person for unauthorized purpose  Potential  Possible != actual
  7. 7. Getting to know you  Received a data breach notification?  Been involved in handling one?  Investigated the incident that led to it?  Participated in decision about whether to notify?  Identified contact information?  Wrote notification content?  Handled notification logistics?  Answered calls from affected individuals?  Caused an incident that led to a notification?
  8. 8. Example exposures…maybe  Data sanitization vendor’s driver sold laptops  Medical provider’s computers stolen  Grade processing system stolen  Personal info exposed to unauthorized employees  Web hosting provider’s password DB compromised  Data sanitization vendor’s driver sold laptops  Medical provider’s computers stolen  Grade processing system stolen  Personal info exposed to unauthorized employees  Web hosting provider’s password DB compromised
  9. 9. $  Sony - $10s of millions  Those I’ve been involved in – 5-6 figures
  10. 10.  3rd-party forensic analysis - $222,000  Legal consultant - $100,000  Communications consultant - $50,000  Notification and credit protection - $3,700,000  Reputational damage - ?  Employee time - ? $  12/15/2010 Ohio State exposure of 760,000 individuals names, DOBs, SSNs
  11. 11. 2 recent examples  TRICARE  Stanford Hospital
  12. 12. Tip of the iceberg  Only a tiny fraction of data exposures are disclosed
  13. 13. In the beginning  Enacted in 2002, effective in 2003  Limited to data related to financial identity fraud
  14. 14. Motivation  Perception that breaches of electronic data involving personally identifiable information was increasing
  15. 15. Increase in electronic breaches?  Actual increase not verifiable  Doesn’t consider growth in electronic data storage  Substantial % of identity fraud not due to electronic data  Remote system accessibility & portable storage increase  Breach stats combine actual and potential  Has led to a cycle => More/broader/improved laws => more reporting => more individual awareness & more media coverage => improved security resources, processes, posture => more breaches discovered => more/broader/improved laws
  16. 16. Rationale  Provides necessary information for affected individuals to make informed decisions to mitigate impact  Negative consequences associated with disclosure will result in improved security practices
  17. 17. Boom goes the dynamite
  18. 18. Types of harm  Death and physical harm  Financial loss  Loss of $, loss of property, property damage  Credit score damage  Financial identity fraud  Account takeover  Account creation  Social harm  Loss of job, damage to professional opportunities  Relationships, embarrassment
  19. 19. AYCE notification  Death and physical harm  Murderers, violent offenders, mentally unstable  People with contagious disease, speeders, drunk drivers  Financial loss  Robbery, burglary, vandalism (robber, burglar, vandal)  Fraud, customer complaints, charlatans  Social harm  Insecure Wi-Fi APs, people who own binoculars  Provides necessary information for at risk individuals to make informed decisions to mitigate impact  Negative consequences associated with disclosure will result in reduction in risk
  20. 20. Data breach notification laws  Federal laws  Health records – HITECH Act (via HHS and FTC)  Financial records – GLBA, FTC Safeguards Rule  Education records – FERPA  Federal agencies’ records – FISMA, OMB, VA  State+ laws  46 states (MA+NC cover paper)  DC + Puerto Rico + Virgin Islands  International  Europe  Japan  And more
  21. 21. Data breach notification laws
  22. 22. Data breach laws - future  Federal laws  Existing laws are in flux  Overarching national law could be coming  State+ laws  Scope and other details changing  Alabama, Kentucky, New Mexico, South Dakota  Texas healthcare, California beefing theirs up  International  Europe considering expanding beyond telecom  Canada  Taiwan
  23. 23. Components  Who the law applies to  Types of data covered  State/format of data covered  What constitutes a breach  Disclosure obligations  Non-compliance ramifications  Exceptions
  24. 24. Who the law applies to  Entity || individual May specify type  Conducts biz in state || Maintains data of residents of state || Resulted in or may result in a type of harm to a resident of the state
  25. 25. Types of data covered  (First name || first initial) && last name + (SSN || DL || unique government ID) || ((Financial account # || CC # || debit card #) && (Security code || password)) || (Medical info || health insurance info)
  26. 26. State/format of data covered  Electronic In some cases paper too  Unencrypted || Encrypted, but key breached || Not redacted or altered SSN <5, DL last 4
  27. 27. What constitutes a breach  Unauthorized access and acquisition that compromises security || confidentiality || integrity of a record Sometimes must be 2+ records
  28. 28. Disclosure obligations - who  Notify affected individual || the affected owner/licensee  Notify Office of Attorney General  Notify consumer reporting agencies
  29. 29. Disclosure obligations - when  Without reasonable delay Sometimes immediately || within specific timeframe  Can delay to determine scope && restore system integrity && if LEA advises disclosure will impede investigation or national security
  30. 30. Disclosure obligations - method  Written notice  Email notice if email address is valid && individual permits communication via email  Telephone  Media || email || org’s website if cost > defined threshold || # of recipients > defined threshold || contact info is unreliable or unknown || can’t identify affected individuals
  31. 31. Disclosure obligations - detail  General incident overview  Type of personally identifiable information  Steps that will be taken to protect further unauthorized access  Contact phone number (if one exists)  Advice to review account information and free credit reports
  32. 32. Non-compliance ramifications  Attorney general may bring action to  Obtain actual damages  Seek civil penalty for willful and knowing violation of notification requirements  Federal agencies can sanction orgs  Mandate controls  Mandate audits  Affected individual can seek to recover direct economic damages  But not $ for the time they put into doing so
  33. 33. Exceptions  Notification not required if affected individuals unlikely to experience fraud as a result of incident  Some types of organization/sectors excluded
  34. 34. Data breach notification laws
  35. 35. Issues – scope  Not comprehensive enough  Mostly electronic – 30% of reported breaches involve paper; some reports indicate most breaches involve paper  What about spoken word…and smoke signals?  Focus almost entirely on financial identity fraud  Excessive notification  Only 3% of those notified of a breach experience identity fraud as a result  Leads to ignoring, considering all the same, failure to take action
  36. 36. Issues – ambiguity  Reasonable  Without reasonable delay  Likely  May result in harm  Likely to result in harm  Validity of contact information  Must other states’ laws be adhered to?
  37. 37. Issues – difficulty complying  Inconsistencies  Follow each state’s requirement or adhere to the state’s requirement that’s limiting  Incompatibilities  LEA allows for delay in notification, but another state doesn’t allow for that  Individual / small org vs. large org
  38. 38. Issues – inequitable treatment  Single incident could result in  Notification not required for some individuals  Some individuals provided different information  Some individuals less likely to receive notification
  39. 39. Issues – miscellaneous  Ways of identifying a person are myopic  Username, email address, phone number  Don’t always know residency of individual  Residency information not collected  Residency information could be stale  Phone # portability
  40. 40. Issues – incentives  Avoidance $ < notification $ + notification impact $?
  41. 41. Issues - rationale reality  Provides necessary information for affected individuals to make informed decisions to mitigate impact  Information overload – useless information  Many actions should be taken regularly anyway  Account review, credit report review  Some actions can’t be taken  Can’t get issued new SSN or stop doing biz with gov  Risk is overblown – impact likelihood / liability
  42. 42. Issues - rationale reality  Many incidents are people failures  Affected individuals’ memories are short  Orgs’ efforts like Iridium-192  Orgs’ efforts sub-optimized  Proof’s in the pudding  Negative consequences associated with disclosure will result in improved security practices
  43. 43. Pimp slap
  44. 44. Alternatives
  45. 45. Plan 1  Play Angry Birds and just don’t sweat it
  46. 46. Plan 2  Fine violators $100 billion
  47. 47. Plan 3  Make all information public
  48. 48. Alternatives – the elements  Focus on preventing unauthorized access  Focus on preventing misuse of data  Encourage individual behavior  Improve breach notification laws
  49. 49. Prevent unauthorized access  Mandate or encourage  Limiting access to unauthorized personnel  Limiting use to authorized purposes  Protection and transmission of data  Risk management  Educate authorized personnel  Increase personnel’s accountability
  50. 50. Prevent misuse of data  Focus on preventing misuse of data  Make it more difficult to access financial accounts  Make it more difficult to create financial accounts  Make it more difficult to access any accounts  Increase penalties for data theft and misuse
  51. 51. Encourage individual behavior  Preventive  Use unique passwords everywhere  Use unique usernames (I don’t eat my own dog food)  Protect your email account – keys to the kingdom  Protect the personal information you control  Detective  Check financial accounts routinely  Check credit reports routinely
  52. 52. Improve breach notification laws  Increase scope beyond financial fraud risk  Oh, Canada!  And include all types of orgs  Increase consistency in state laws  Risk-based approach  Likelihood of access, likelihood of misuse, potential impact, org’s ability to mitigate, compensating controls, affected individual’s ability to mitigate  Compliance status – infosec program, risk-based approach  Sanction status  Leave up to org? Or scoring system
  53. 53. Improve breach notification laws  Consistent reporting format  Increase information that’s shared  Reduce PR speak  Clearly describe risk  Clearly describe recommended actions
  54. 54. Improve breach notification laws  Tiered notification  Tier 1 – track internally, make available for audit, notify internal personnel  Tier 2 – notify national authority and internal personnel  Tier 3 – notify affected individuals  Notification methods  To affected individual – base on org’s size  National database – public and private views
  55. 55. Questions and discussion ?
  56. 56. Contact me  <myfirstname>@<mylastname>.com  @stevewerby  3 blocks from 29.431057° N, 98.490522° W
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×