Security Basics: New Data Security Laws Carry Greater Consequences

Go directly to jail, do not pass Go, and don’t even think about collecting your paycheck

New laws regarding data security come with greater penalties if you are found negligent in protecting that data, and ignorance of these laws is no defense. You might be incarcerated or lose your current job (greatly diminishing your chances of future employment). All those great people you used to work with may meet you in the unemployment line if your old company is sued out of business. If your responsibility includes security, then you may be the first to go, but all “C” level executives are vulnerable under these new laws.

The laws we'll discuss are the result of dramatic increases in the loss of personal and financial information from cyber crimes. However, the laws include any loss of information, even if it is stolen the old fashioned way, such as taking it from the copier room. Don’t be too confident -- this can happen to any company at any time. Even the most secure environments are vulnerable to the after-hours cleaning crew as well as the savvy computer hacker.

You're increasingly vulnerable to cyber crimes. Just look at the information from reported intrusions, according to the latest study of large corporations and Government Agencies conducted by the Computer Security Institute (CSI) and the FBI:

  • 90 percent of respondents detected computer security breaches within the past 12 months

  • 80 percent acknowledged financial losses due to computer security breaches

  • 44 percent of 223 respondents quantified their losses at nearly $446 million

  • only 34 percent reported the intrusions to law enforcement

  • MasterCard had their first intrusion in 1999 -- today they have one every 10 minutes

As if these figures are not discouraging on their own, consider what is happening as more and more people gain access to the Internet and the tools for hacking become more sophisticated:

  • The vulnerability of systems is doubling each year

  • The number of reported attacks is doubling each year

  • The number of attackers and their level of sophistication are increasing every year

  • Many Internet sites provide the code necessary to hack systems and exploit flaws in packaged software

  • The time between finding a flaw and producing the patch has shortened, but so too has the time in which hackers get the exploit code on the Internet

  • The speed with which an attack can infiltrate the Internet is also increasing -- what took 24 hours two years ago can now be accomplished in 30 minutes (and that's getting shorter, too)

All of these converging negatives create an atmosphere for “The Perfect Storm” in cyber crime. According to the AON Financial Services Group (2002), “Given that over 70% of the market capitalization of the Fortune 500 companies is attributed to information assets (Forester Research), 1.4 billion e-mails are sent every day (Nielson/Netratings), and there was almost $1 trillion in 2001 online B2B sales (Jupiter Communications), it is no wonder that entities are expected to spend $14 billion by 2005 fending off cyber intruders (International Data Corporation)."

Cyber crime is growing. More importantly, cyber crime is so different that traditional crime-fighting techniques cannot be applied. Huge cyber crime acts overwhelm incident-response teams; such teams are particularly crippled by the high percentage of “false positives” reported. Another complicating factor: the global nature of the crime. Tracking down criminals is futile for all but the largest crimes (for example, the theft of $30 million or more). Even in such cases, where would the criminals be tried—in the jurisdiction of the victim, the criminal, the victim’s servers, or the criminal’s server? Even worse are the chances of collecting a judgment against a group of hackers.

Fortress-style security and crisis management models do not work. Physical security organizations operating apart from data security efforts, another traditional approach to combating crime, don't work.

Meanwhile, legislation and regulations are forcing companies of every type to re-think how they protect their information assets, especially employee and customer information. The legislation calls for greater penalties when companies fail to protect certain types of information.

The following summary of the recent legal and regulatory issues that you and your company must comply with is adapted from Marsh & McLennon Companies’ Risk Alert, “Information Risk—Protecting Your Organization in a Networked World."

California Senate Bill 1386 (July 2003)

Senate Bill 1386, also known as Assembly Bill 700, requires an agency that owns or licenses computerized data containing personal information to disclose when there's a breach in a system's security. If the agency maintains computerized data, but does not own the data, the agency must notify the owner or licensee of the information about the breach. This disclosure must be made as expediently as possible, without unreasonable delay, to any individual whose unencrypted personal information was or may have been accessed by an unauthorized person.

Notification can be delayed if a law enforcement agency determines it would impede a criminal investigation. However, notification must be made once it has been determined that it would not interfere with the investigation. Notification can also be delayed if the agency’s standard is to first determine the scope of the breach and restore the integrity of the data system.

This bill defines “breach of the security of the system” as unauthorized access to computerized data that would compromise the security, confidentiality, or integrity of personal information. This bill defines “personal information” as a person’s first and last name in combination with one or more of the following: Social Security number; driver’s license number or California Identification Card number, credit card number, or debit card number, along with the required security code, access code, or password.

You must make notification by written, electronic, or substitute notice. A substitute notice can be made if the agency demonstrates that the costs to provide the notice would exceed $250,000, or that the affected class of persons exceeds 500,000, or when the agency does not have sufficient contact information. The act requires notification when there has been a suspected (not actual) compromise.Although this law only applies to California at this time, US Senator Diane Feinstein (D-Calif.) is circulating a draft called the Database Security Breach Notification Act modeled after the California law.

Sarbanes-Oxley Act (2002)

Upon first reading, it might appear that this legislation addresses corporate accountability, but it is pointed directly at information security. This act increases the responsibility of corporate audit committees and limits non-audit services (including information systems consulting services) that an auditor may offer to its clients. It also increases the penalties for violations of securities law and other laws, allowing them to be levied against individuals, not just corporations.

The principal executive and financial officers of corporations are now required to establish and maintain internal controls that ensure the accuracy of the information in financial reports and to evaluate those controls no earlier than 90 days prior to the date of the report. It is therefore essential to prevent unauthorized access and tampering with information.

Gramm-Leach-Bliley Act (1999)

This act is also known as the Financial Services Modernization Act and GLBA. It is designed to protect consumers’ privacy and secure information. A company that fails to comply with GLBA provisions may be the target of enforcement actions, civil penalties, governmental fines and penalties, and cease-and-desist orders. Among the issues covered by the act:

  • Financial institutions must clearly disclose their privacy policies with regard to sharing nonpublic personal information with both affiliates and third parties.

  • Financial institutions must notify consumers of, and provide them with, an opportunity to “opt out” of the institutions’ sharing non-public information with nonaffiliated third parties, subject to certain limited exceptions.

  • Financial institutions must disclose their privacy policy when they first establish customer relationships with consumers and not less than annually thereafter for the duration of the relationship.

  • The Federal Trade Commission, the federal banking agencies, the National Credit Union Administration, and the Securities and Exchange Commission have the authority to enforce the regulations.

A substantial portion of the GLBA speaks to the sanctity of personal information and the necessity for financial institutions to protect it. Principal executives and board directors may be held personally liable for practices that are viewed as negligent.

The Health Insurance Portability and Accountability Act of 1996

The federal government has made privacy of patient information a top priority. Healthcare organizations had until April 2003 to comply with the privacy regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The privacy rules will apply to healthcare providers and health plans, health-care clearinghouses, and organizations that have access to patient records and finances.

In addition to HIPAA, healthcare organizations must comply with existing common law and statutory and regulatory protections under state laws safeguarding the privacy of individuals’ medical information. They will also have to comply with a wide array of security requirements, such as certification, data back-up plans, personnel security, virus checks, and authentication procedures.

What Can You Do?

In addition to the obvious technical remedies, employee and management awareness is critical to avoid “social engineering” forms of intrusion. This involves detailed policies and procedures, along with the associated training efforts.

Mike Rogers, Information Protection Officer of the Automobile Club of Southern California says, “You need to establish the appropriate level of paranoia within your organization.” Employees should not be so frightened they are ineffective, but they need to understand that the penalties can apply to them as well, and they can be severe.

You need a formalized plan that encompasses both proactive deterrence and early detection:

  • Convert physical access control systems to communicate directly with the corporate data network

  • Conduct threat assessments using physical security and data security on the same task force

  • Monitor network events and file access events to identify suspect events

  • Populate an investigation database with suspect events and share results with such parties as competitors, law enforcement, and online security clearing houses

  • Promote and publicize that you share your data to deter criminals

  • Use your network monitoring as a management system for documenting corporate policies, involving employee security practices

  • Insure your company against losses using a proactive security approach to help you qualify for insurance, reduce your premium, and mitigate the risk that is excluded from your insurance coverage

  • Develop and maintain incident response plans

  • Preserve evidence but know that enforcement, prosecution, and collection are unlikely

The combination of increased cyber crime and new legislation has dramatically increased your risk: damages can come from the loss or theft itself followed by class action suits with serious (possibly catastrophic) penalties.

Prepare a five-year plan customized for your organization. This plan, along with annual progress, proves that “reasonable efforts” are underway to protect the organization. In turn, this could protect you against the legal liability of being found negligent in performing the duty of protecting information that is covered by the new legislation and regulations.