California Data Privacy Laws: Is Compliance Good Enough?

1,479 views

Published on

This webinar describes:

-Data protection in California and beyond
-Achieving compliance and security
-How to move beyond compliance
-How Lumension can help

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • Companies continue flippant and caviler response toward data security.

    Regardless of the consequences Companies like HP and others insist customers return hard drives with no way to guarantee data security. However Dell has a policy that is more secure and respectful allowing customers to 'Keep Your Hard Drive — A Data Protection Service from Dell'

    After hours on the phone with HP representatives I could not get a satisfactory response to any of my questions concerning the security of my data including 'is it recycled', 'Where does my old hard drive go', 'How is it destroyed', or 'Why do they want a bad hard drive', 'how can you insure me my data is secure' 'what is your policy on personal data security'?

    The fact is, once your hard drive leaves your hands you have no idea where it may end up or what can happen to the data, I do not wish to encourage paranoia but today data is worth money and identity theft is a large problem. Despite the upsurge in identity theft, data mining, marketing abuses most people know little or nothing about Personal Data Security.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
1,479
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
19
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide
  • © Copyright 2008 - Lumension Security
  • Octomom case … $250,000 fine … 15 employees fired … 8 disciplined
  • Heartland … AU airport story
  • Patch Management Encryption Device Control Blacklisting / Antivirus IT Governance, Risk Management and Compliance (GRC) Log Management Security Information and Event Management (SIEM) Whitelisting / App Control Host-based Intrusion Prevention System (HIPS) Firewall
  • California Data Privacy Laws: Is Compliance Good Enough?

    1. 1. California Data Privacy Laws: Is Compliance Good Enough? Chris Merritt Director Solution Marketing May 2010
    2. 2. Today’s Agenda Data Protection in California … and Beyond Achieving Compliance … or Security? How to … Move Beyond Compliance How Lumension Helps
    3. 3. Data Protection in California … and Beyond
    4. 4. 2009 Fraud & ID Theft Data Source: FTC Consumer Sentinel Network (CSN) 2009 Data Book, Feb 2010
    5. 5. 2009 Fraud & ID Theft in California Total Number of Identity Theft, Fraud and Other Consumer Complaints = 165,033
    6. 6. California Data Protection Laws <ul><li>Medical Information </li></ul><ul><li>AB 1298 (January 2008) </li></ul><ul><li>Expands … </li></ul><ul><ul><li>application of the Confidentiality of Medical Information Act (CMIA) to any business handle medical information </li></ul></ul><ul><ul><li>definition of PII to include medical information </li></ul></ul><ul><li>Penalties include … </li></ul><ul><ul><li>individual – $1,000 per violation, plus damages and court costs </li></ul></ul><ul><ul><li>civil – from $1,000 to $250,000 per violation </li></ul></ul><ul><ul><li>considered a misdemeanor </li></ul></ul><ul><li>Example … </li></ul><ul><ul><li>Nadya Suleman (aka ‘Octomom’) case </li></ul></ul>CA Civil Code §§ 56.06
    7. 7. California Data Protection Laws <ul><li>Consumer Credit Reporting Agency </li></ul><ul><li>SB 168 (Jul 2002) </li></ul><ul><li>Requirements </li></ul><ul><ul><li>Allows consumers to ask for a “credit freeze” </li></ul></ul><ul><ul><li>Prohibits exposing SSNs (print, clear-text transmission, etc.) or requiring SSNs for identification </li></ul></ul><ul><li>Augments the rest of §1785, covering Credit Reporting / Usage … </li></ul><ul><ul><li>address matching </li></ul></ul><ul><ul><li>verification of no ID Theft / Fraud </li></ul></ul><ul><ul><li>cannot sell debt in cases of ID Theft </li></ul></ul><ul><ul><li>fines for ID Theft / Fraud </li></ul></ul><ul><ul><li>and much more </li></ul></ul>CA Civil Code §§ 56.06 CA Civil Code §§ 1785.11.2
    8. 8. California Data Protection Laws CA Civil Code §§ 56.06 CA Civil Code §§ 1785.11.2 CA Civil Code §§ 1798.29 CA Civil Code §§ 1798.82 <ul><li>Protecting PII (State Agencies and Businesses) </li></ul><ul><li>SB 1386 (Jul 2003) </li></ul><ul><li>Requirements </li></ul><ul><ul><li>Covers any CA business or businesses with CA customers, and their vendors </li></ul></ul><ul><ul><li>Covers PII (first / last name, address, tel. no., acct. no., PIN, SSN, etc.) </li></ul></ul><ul><ul><li>Requires notification if there was “or is reasonably believed to have been” a breach, unless data are encrypted (with some caveats) </li></ul></ul><ul><li> First State Data Breach Notification law in US, and model for many that followed </li></ul>
    9. 9. Other State Data Protection Laws CA Civil Code §§ 56.06 CA Civil Code §§ 1785.11.2 CA Civil Code §§ 1798.29 CA Civil Code §§ 1798.82 Massachusetts 201 CMR 17 Nevada Chap. 603A <ul><li>Massachusetts – </li></ul><ul><li>covers all businesses with MA customers </li></ul><ul><li>requires comprehensive written security plan </li></ul><ul><li>requires encryption, firewall, patching and anti-malware </li></ul><ul><li>Nevada – </li></ul><ul><li>codifies PCI-DSS </li></ul><ul><li>provides “safe harbor” if data are encrypted or if compliant w/ PCI </li></ul>
    10. 10. Other Federal Data Protection Laws CA Civil Code §§ 56.06 CA Civil Code §§ 1785.11.2 CA Civil Code §§ 1798.29 CA Civil Code §§ 1798.82 Massachusetts 201 CMR 17 Nevada Chap. 603A Sarbanes-Oxley (SOX) Gramm-Leach-Bliley Act (GLBA) FACTA Red Flag Rules BSA / AMLA HIPAA HITECH
    11. 11. Other Data Protection Regulations CA Civil Code §§ 56.06 CA Civil Code §§ 1785.11.2 CA Civil Code §§ 1798.29 CA Civil Code §§ 1798.82 Massachusetts 201 CMR 17 Nevada Chap. 603A Sarbanes-Oxley (SOX) Gramm-Leach-Bliley Act (GLBA) FACTA Red Flag Rules BSA / AMLA HIPAA HITECH PCI-DSS NERC
    12. 12. International Data Protection Laws CA Civil Code §§ 56.06 CA Civil Code §§ 1785.11.2 CA Civil Code §§ 1798.29 CA Civil Code §§ 1798.82 Massachusetts 201 CMR 17 Nevada Chap. 603A Sarbanes-Oxley (SOX) Gramm-Leach-Bliley Act (GLBA) FACTA Red Flag Rules BSA / AMLA HIPAA HITECH PCI-DSS NERC UK Data Protection Act EU Directives Basel II
    13. 13. Proposed Federal Data Protection Laws CA Civil Code §§ 56.06 CA Civil Code §§ 1785.11.2 CA Civil Code §§ 1798.29 CA Civil Code §§ 1798.82 Massachusetts 201 CMR 17 Nevada Chap. 603A Sarbanes-Oxley (SOX) Gramm-Leach-Bliley Act (GLBA) FACTA Red Flag Rules BSA / AMLA HIPAA HITECH PCI-DSS NERC UK Data Protection Act EU Directives Basel II Personal Data Privacy and Security Act of 2009 (S.1490) Data Breach Notification Act (S.139) Data Accountability and Trust Act (H.2221)
    14. 14. Achieving Compliance … or Security?
    15. 15. Achieving Compliance <ul><li>Focus on compliance </li></ul><ul><ul><li>Pros – lowered liability, improved operations, meeting letter of the law </li></ul></ul><ul><ul><li>Cons – overlapping requirements, complicated, always chasing new rules </li></ul></ul>How to deal with this crazy quilt of statutes and regulations?
    16. 16. Achieving Compliance … or Security <ul><li>Focus on compliance </li></ul><ul><ul><li>Pros – lowered liability, improved operations, meeting letter of the law </li></ul></ul><ul><ul><li>Cons – overlapping requirements, complicated, always chasing new rules </li></ul></ul><ul><li>But … compliance ≠ security! </li></ul>How to deal with this crazy quilt of statutes and regulations?
    17. 17. Achieving Compliance … or Security <ul><li>Focus on compliance </li></ul><ul><ul><li>Pros – lowered liability, improved operations, meeting letter of the law </li></ul></ul><ul><ul><li>Cons – overlapping requirements, complicated, always chasing new rules </li></ul></ul><ul><li>But … compliance ≠ security! </li></ul><ul><li>Need to move beyond mere compliance … to true security </li></ul><ul><ul><li>Cons – more upfront effort </li></ul></ul><ul><ul><li>Pros – legal defensibility, better alignment w/ threats, better protection of all valuable data </li></ul></ul>How to deal with this crazy quilt of statutes and regulations?
    18. 18. How to ... Move Beyond Compliance
    19. 19. Four Steps to Security Policy Process Technology People
    20. 20. Technology – Defense in Depth
    21. 21. 3P’s of Security <ul><li>Policy … </li></ul><ul><li>needs to be … </li></ul><ul><ul><li>written down and available </li></ul></ul><ul><ul><li>monitored and adapted as needed </li></ul></ul><ul><ul><li>end-to-end (data, users) </li></ul></ul><ul><ul><li>enforceable / enforced </li></ul></ul><ul><li>Process … </li></ul><ul><li>reduces workload and eliminates gaps </li></ul><ul><li>needs to enable productivity, but provide security </li></ul><ul><li>People … </li></ul><ul><li>are your perimeter </li></ul><ul><li>need continuous education / training </li></ul>
    22. 22. How Lumension Helps
    23. 23. How Lumension Helps <ul><li>Lumension helps you </li></ul><ul><ul><li>Identify data for protection </li></ul></ul><ul><ul><li>Protect data from theft </li></ul></ul><ul><ul><li>Demonstrate compliance </li></ul></ul><ul><li>Lumension solutions </li></ul><ul><ul><li>Protect against data theft and data loss </li></ul></ul><ul><ul><li>Control the use of applications and devices </li></ul></ul><ul><ul><li>Enforce encryption when data is copied to removable media </li></ul></ul><ul><ul><li>Automate the collection, analysis, and delivery of patches and updates </li></ul></ul><ul><ul><li>Audit the network for compliance with Data Protection regulations in California and beyond </li></ul></ul>
    24. 24. How Lumension Helps – Encryption <ul><li>External Device Encryption </li></ul><ul><ul><li>Enforce encryption of information transferred to … </li></ul></ul><ul><ul><ul><li>Removable devices (ext. HDs, USB sticks, etc.) </li></ul></ul></ul><ul><ul><ul><li>Removable media (CDs, DVDs) </li></ul></ul></ul><ul><ul><li>Control and manage device access through all ports </li></ul></ul><ul><ul><ul><li>Physical interfaces such as USB, FireWire, PCMCIA, etc. </li></ul></ul></ul><ul><ul><ul><li>Wireless interfaces such as WiFi, Bluetooth, IrDA, etc. </li></ul></ul></ul><ul><ul><li>Control and monitor all devices in network environment </li></ul></ul><ul><ul><ul><li>Those connected now or ever </li></ul></ul></ul><ul><ul><ul><li>Limit access by user, machine, time, status </li></ul></ul></ul><ul><ul><li>Deliver detailed forensics of device usage and data transfer </li></ul></ul><ul><ul><ul><li>Log file metadata (name, type, size, etc.) </li></ul></ul></ul><ul><ul><ul><li>Retain copy of entire file </li></ul></ul></ul>
    25. 25. <ul><li>Password Protection </li></ul><ul><ul><li>Agent-based inventory capability validates password complexity </li></ul></ul><ul><ul><li>Network-based scan detects password complexity policy option </li></ul></ul><ul><ul><li>Force use of complex passwords </li></ul></ul><ul><ul><li>Prevent users from accessing encrypted devices/media after five incorrect password attempts </li></ul></ul>How Lumension Helps – Password Control
    26. 26. How Lumension Helps – System Security <ul><li>Comprehensive Endpoint Protection </li></ul><ul><ul><li>Lumension AntiVirus provides protection against malware </li></ul></ul><ul><ul><ul><li>Traditional blacklisting </li></ul></ul></ul><ul><ul><ul><li>Behavioral analysis capabilities </li></ul></ul></ul><ul><ul><li>Lumension Patch and Remediation provides automated patching </li></ul></ul><ul><ul><ul><li>Comprehensive vulnerability assessment </li></ul></ul></ul><ul><ul><ul><li>Rapid, accurate and secure patch management </li></ul></ul></ul><ul><ul><ul><li>Ensures systems are up-to-date and free from vulnerabilities </li></ul></ul></ul><ul><ul><li>Lumension Application Control guards against unwanted change </li></ul></ul><ul><ul><ul><li>Prevents unauthorized / unwanted apps from executing, including malware </li></ul></ul></ul><ul><ul><ul><li>Maintain network assets in known state </li></ul></ul></ul><ul><ul><li>Lumension Device Control provides endpoint data protection </li></ul></ul><ul><ul><ul><li>Protects against data leakage (theft / loss) </li></ul></ul></ul><ul><ul><ul><li>Forces encryption of data transferred to removable devices / media </li></ul></ul></ul><ul><ul><ul><li>Prevents malware introduction via removable devices / media </li></ul></ul></ul>
    27. 27. How Lumension Helps – Show Compliance <ul><li>Compliance & IT Risk </li></ul><ul><ul><li>Demonstrate compliance to Data Protection regulations in California and beyond </li></ul></ul><ul><ul><li>Use Lumension Risk Manager to … </li></ul></ul><ul><ul><ul><li>Identify key assets </li></ul></ul></ul><ul><ul><ul><li>Assess compliance level of these assets </li></ul></ul></ul><ul><ul><ul><li>Remediate assets to bring them into compliance </li></ul></ul></ul><ul><ul><ul><li>Manage key assets on a consistent basis </li></ul></ul></ul>
    28. 28. Integrated Risk Management Compliance Business Impact Risk Management Operational Security IT Assets Devices Applications Business Subjects People Integrated Risk Management Console Control Connectors Lumension Vulnerability Management Lumension Data Protection Lumension Endpoint Protection Connector Development Kit 3 rd Party Connectors Business Framework Risk & Compliance Lumension Survey Workflow Engine
    29. 29. <ul><li>Lumension Enables Organizations to … </li></ul><ul><ul><li>Stay ahead of remote threats </li></ul></ul><ul><ul><li>Streamline security and operational management across heterogeneous environments </li></ul></ul><ul><ul><li>Gain visibility into real-time patch status and overall security posture </li></ul></ul><ul><ul><li>Save time and cost thru automation </li></ul></ul><ul><ul><li>Elevate security posture with full visibility into and control over endpoints </li></ul></ul><ul><ul><li>Address Data Protection regulations in California and beyond with confidence </li></ul></ul>Summary
    30. 30. Questions?
    31. 31. Resources and Tools <ul><li>Whitepapers </li></ul><ul><ul><li>Ogren Group Security Analysis Case Study - Proactively Managing Endpoint Risk </li></ul></ul><ul><ul><li>Three Ways to Prevent USB Insecurity In Your Enterprise </li></ul></ul><ul><ul><li>and a host of other Data Protection whitepapers </li></ul></ul><ul><li>Other Resources </li></ul><ul><ul><li>Podcasts, Videos, Webcasts </li></ul></ul><ul><ul><li>On-Demand Demos </li></ul></ul><ul><ul><li>eBooks </li></ul></ul><ul><li>Premium Security Tools </li></ul><ul><ul><li>Scanners </li></ul></ul><ul><li>Product Software Evaluations </li></ul><ul><ul><li>Virtual Environment </li></ul></ul><ul><ul><li>Full Software Download </li></ul></ul>
    32. 32. <ul><li>Global Headquarters </li></ul><ul><li>8660 East Hartford Drive </li></ul><ul><li>Suite 300 </li></ul><ul><li>Scottsdale, AZ 85255 </li></ul><ul><li>1.888.725.7828 </li></ul><ul><li>[email_address] </li></ul><ul><li>blog.lumension.com </li></ul>

    ×