The data breach notification law requires companies to notify authorities of any data breach involving personal information.The law does not recommend specific technologies or processes that companies must use.
The govt. issued a report on the responses to the notification law. The report contained very interesting findings. In about a year, 318 breaches were reported and in 75% of the breaches the data was not protected. Only in 3% of the incidents was encryption used and much of the data was not even password protected. This is a staggering statistic that shows that a number of companies have yet to deploy basic security controls.
A majority of the breaches – 75% -- have been reported by the financial services sector. Obviously, the data thieves think that this would give them direct access to money. Other sectors too should be equally vigilant because hackers go after the low hanging fruit where ever they may be.
60% of the data breaches were malicious in nature. Laptop/ hard disk theft was a prominent feature. This is not a surprise since today’s hard disks are highly portable and can contain 100s of gigabytes of information.The remaining 40% of the breaches were the result of “employee error and sloppy internal handling”.The conclusions are that the focus has to be both on protecting against intentional threats and on better employee training and policies.
As a follow up to the data breach notification regulation, MA will be enforcing the data security regulation – 201 CMR 17 -- from May 1 of 2009.Its purpose is to protect MA residents from identity theft and fraud.The regulation also aims to set minimum standards for information protection – for its security, confidentiality and integrity.The scope of the regulation is broad. It covers all businesses, large or small, that use or have personal information of MA residents. The regulation applies to all forms of information including paper and electronic.
The regulation defines personal information as a combination of the following:A first name and last name or a first initial and last name with one of the following:Social security numberor, state ID/drivers licenseOr, a financial account number including a credit or debit card numberFor example any business that even accepts a credit card could potentially be affected by the regulation.
Encryption is an important technology that finds strong mention in the regulation.A couple of more definitions are useful to note. Unlike some of the previous regulations that simply mentioned encryption, this regulation defines encryption as a algorithmic process and also mentions the encryption key.Similarly, a breach of security is defined as one where data is not encrypted or in cases where data is encrypted, the encryption key gets compromised.
One of the central features of the regulation is the requirement for a written information security plan. Every business is required to have one. At least one employee is designated to maintain the plan.It has to include disciplinary measures for violations. It must be reviewed at least once a year. All incident responses and security issues are expected to be documented.
The next couple of slides describe the system requirements as required by the regulation.Secure authentication protocols are required. Passwords are expected to be used. Note the earlier slide on data breaches where only 22% of the incidents had password protection.Access to data must be controlled with people accessing information only on a need to know basis. For example if people have to access only a couple of records, there is no need to download the entire database just because one has a large capacity hard disk or a memory stick.Data in motion must be encrypted. All data on public networks and all wireless data must be encrypted. One could suppose that external email could also be included. It is interesting to note that the TJX breach is said to have started with a hack into the wireless network at a store.All data on laptops and portable devices is also expected to be encrypted.While most operating systems and applications have provisions for some kind of password and access control, encryption often requires specialized software or hardware to be installed.
Firewall protection and up to date anti-malware protection is also required. The controls are not expected to be “set and forget”. Reasonable monitoring, on an ongoing basis, for unauthorized access is also expected. The last point but certainly very important is that proper training and education of employees on data security is expected. The MA data breach regulation report mentioned that 40% of the data breaches were the result of employee error or sloppy handling of sensitive information.
According to the regulation, businesses would be judged for compliance using several factors – including size, type and scope of business. For example small businesses may not have the resources that a large business may have. Also the volume of data held by smaller businesses could be lower than a typical large business. Both employee and customer information are expected to be protected. The regulation is has been amended and clarified . It would be useful to periodically check the Mass. govt. website for updates. The website is shown on the bottom of the screen.
Here is a snapshot of the key dates with regard to the Mass. Regulations:The data breach notification law has been in effect since Oct 2007 The 201 CMR 17 data security regulation becomes effective on May 1 2009 (postponed from Jan 1, 2009) Businesses have until Jan 2010 to encrypt portable devices other than laptops,And to get written certification from 3rd parties with whom they share sensitive data, that they have a written data security plan.
While the focus on this presentation is portable devices, it is important to understand the big picture and map out the interconnected risks. A typical IT infrastructure can be quite porous where confidential data or personally identifiable information can be lost or stolen from many points. These include file shares, local user PCs, email, portable media and remote user devices.When data thieves see data the see cash.In this complex environment, security administrators face several challenges. These include:Increasing sophistication of threatsOpen enterprise w/ powerful endpointsMany compliance regulationsAssortment of point solutionsBudgets and resources
When it comes to choosing and implementing a data security solution, security officers have requirements that go beyond just encryption. These include the ability to:Define security roles and responsibilities to ensure that information is accessed only on a as needed basis.Enforce consistent polices to ensure compliance in complex, mixed environments with a variety of endpoints and users.Provide transparent security to end-users to ensure no productivity loss and reduce relying on end users for security.Enable secure data sharing and recovery to allow businesses to function without interruption.Allow easy deployment and administration – especially important in large complex environments.Facilitate quick, on-demand audits if there is a security related incident. If a laptop was lost it is important to quickly show that it was encrypted.
Here is a that same network where data can be lost or stolen from many points.Data protection can be applied all the wayfrom the core of your network, to the edge and beyond.<<<step through the animations>>>
Here is a solution example of transparent full disk encryption. Pre-boot authentication provides a greater level of security. The login dialog can be customized with your own graphics and text.After the hard disk is encrypted a green key appears next to it.
Here is a solution example that encrypts removable media include USB keys and CD/DVDs.Authorized employees can transparently save, exchange and read encrypted data.If the media is lost or stolen, it cannot be read.
SafeGuard Enterprise Configuration can prevent data leakage via PC ports by blocking or restricting access by using whitelists.
SafeGuard Enterprise is a modular security data security solution that enforces policy-based encryption security for PCs and mobile devices across multiple platforms, easy to use for the end user and centrally managed by a single console. It also provides security for non-centrally managed users and endpoints.
Here are 4 key benefits provided by the SafeGuard Enterprise data security solution.
SafeGuard Enterprise has won several awards recently.
Massachusetts State Data Security Regulations<br />
Agenda<br />Introduction<br />Massachusetts Data Security Regulations<br />Compliance Best Practices<br />Utimaco data security solution<br />
Utimaco – The Data Security Company25 Years of Security Experience<br />Founded in 1983<br />Member - Sophos Group<br />350+ Employees<br />US HQ – Boston, MA<br />Global HQ – Frankfurt (Germany)<br />Over 6 million licenses<br />Revenue US$ 96m (Rolling 12-mths Q1 FY’08/’09)<br />
Data Breach Headlines to be Avoided<br />TJX<br /><ul><li>In store communications intercepted?
Reported on October 24, 2007</li></ul>Source: www.msnbc.com<br />261 Million Data Records of U.S. Residents Exposed Since 2005<br />Source: www.privacyrights.org<br />
Massachusetts Data Security Regulations<br />M.G.L Chapter 93H (Oct ‘07)<br />Regulation to Safeguard Personal Information of Commonwealth Residents<br />Requires companies to notify data owners & regulators if a breach occurs<br />201 CMR 17.00 Regulation (June‘10)<br />Specifies Standards for The Protection of Personal Information of Residents of the Commonwealth<br />Requires preventive data security controls including encryption<br />
M.G.L Chapter 93H: Regulations to Safeguard Personal Information of Commonwealth Residents<br />Effective Oct 2007<br />“Duty to report known security breach or unauthorized use of personal information”<br />Defines personal information and requires companies to notify authorities upon data security breaches<br />Does not specify technologies or processes<br />Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm<br />
No Encryption in 308 of 318 BreachesM.G.L Data Breach Notifications Report (Sep. ’08) <br />Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm<br />
75% of Breaches: Financial Services SectorOf 33 Breaches Affecting More Than 500 MA Residents<br />Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm<br />
Causes of Data BreachesHigh Number of Laptops or Hard disks Were Lost or Stolen<br />40%<br />“Employee Error / Sloppy Internal Handling”<br />60%<br />“Criminal / Unauthorized Acts”<br />Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm<br />
201 CMR 17.00 Regulation: Standards for The Protection of Personal Information of Residents of the Commonwealth<br />Purpose<br />Implements provisions of M.G.L. c. 93H to protect against ID theft, fraud<br />Set minimum standards for information protection -- security, confidentiality and integrity<br />Protect against unauthorized access and use<br />Scope<br />All businesses using/having MA residents personal information<br />Applies to all forms of information (paper, electronic. Etc.)<br />Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm<br />
201 CMR 17.00: More Definitions<br />“Encrypted”<br />“the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key…”<br />“Breach of security”<br />“unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security…”<br />Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm<br />
201 CMR 17.00:Mandatory Written Information Security Plan<br />Designated employee(s) maintain plan<br />Includes disciplinary measures<br />3rd party service provider must also have plan<br />Limit information access, time, amount to what's needed<br />Review plan at least annually<br />Document incident responses<br />Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm<br />
201 CMR 17.00:Computer System Security Requirements 1<br />Secure authentication protocols<br />IDs, passwords, active users, blocking<br />Secure access control<br />Information access on need to know basis<br />Control IDs, passwords, no “vendor default passwords”<br />Encrypt data in motion<br />On public networks and all wireless data<br />Encrypt data at rest<br />Laptops, other portable devices (USB sticks, CD/DVDs, PDAs, etc)<br />Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm<br />
201 CMR 17.00:Computer System Security Requirements 2<br />Firewall, anti-malware protection<br />up to date patches, “virus definitions”<br />Reasonable monitoring for unauthorized access<br />Education and training of employees<br />Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm<br />
201 CMR 17.00:Compliance Evaluation Criteria<br />Size, type and scope of business<br />Amount of resources available<br />Amount of stored data<br />Need for security and confidentiality of both consumer and employee information<br />Source: http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm<br />