House passes Data Breach legislation… jury still out

December 14, 2009 by · Leave a Comment

The U.S. House of Representatives has passed HR 2221, the Data Accountability and Trust Act.  This sets nationwide breach notification requirements that trump the patchwork of State laws that have been in effect with California leading the way in 2002.   The passage was written about in a Federal Computer Week article “House passes bill to require data breach notifications“.

Overall, standardizing the definition of Personally Identifiable Information will help in protecting the data.  This is a good thing as some states have more stringent definitions than others.   Data brokers have greater requirements.  Also a good thing.

The problem I see comes from the FTC having jurisdiction over the new law.  The FTC does not have authority to enforce regulations on government, banks, savings and loans, insurance industry and non-profits which would include higher education and some healthcare environments.  These industries are often the victims of data breaches yet they aren’t covered by this new federal law.

We’ve seen the FTC extend its reach with the Red Flags rule and perhaps they will follow suit with the new data breach notification legislation.  If they let some industries with known disclosure issues slip through the cracks then the overall effectiveness of the legislation is diminished.

Filed Under: National and State Privacy/Security Law · Tagged With: , , ,

Using a Framework to Navigate Regulatory Compliance

October 21, 2009 by · Leave a Comment

The regulatory environment overseeing the protection of sensitive information is incredibly crowded.  Sarbanes-Oxley (SOX), Graham-Leach-Bliley (GLB), the Health Insurance Portability and Accountability Act (HIPAA), HITECH, Red Flags, Payment Card Industry Data Security Standard (PCI-DSS), among a host of state laws and audit guidelines seems to provide the Fort Know of IT risk management if organizations would comply.   The reality is the complexity and costs of compliance may be a contributing factor in the overall risk management failings that appear above the fold in your local newspaper.

While large companies are better equipped to deal with the additional costs for infrastructure, tools, staff, auditors, and third-party vulnerability scanners, the small or medium sized businesses can quickly become stretched to the point of ineffective security.  There may be some paralysis when deciphering multiple regulatory obligations that often overlap or even conflict.    There are opportunity costs when small business executives spend more time dealing with compliance issues than dealing with business strategy.

The solution is not to avoid regulatory obligations.  The solution is to better manage information security and deploy best practices as simply part of the organizational culture.   The way to get there isn’t to go through check boxes for every compliance item that comes your way.  That will drive any person insane and lead to a tangled mess of interwoven security policies, procedures, technologies, etc.   What I believe is a more effective approach to compliance is the implementation of an information security management system following a framework such as ISO 27001/27002.  Many of the controls within 27002 align with the requirements in many of the compliance items so building a consolidated program based on a series of best practices will help meet compliance obligations.

ISO 27001/27002 is simply a framework that defines a security code of practice and best practices across twelve areas.  These include:  Risk assessment, security policy, governance, asset management, human resources, physical and environmental, communications and operations, access control, acquisition, development and maintenance, incident management, business continuity, and compliance.  Pay particular attention to the last one and note that compliance is just one piece of the framework of best practices.   This leads back to a previous post that risk management and information security must go beyond the simple yes or no check boxes of regulatory compliance in order to be effective.

The ability to protect sensitive information is a process that requires ongoing care and feeding in order to protect against the expensive financial and reputation damages of a  breach.  Using a framework such as ISO 27001/27002 allows for a consistent baseline which to measure and certify against.  This minimizes confusion and complexity and goes a long way toward achieving compliance across a wide-array of regulatory requirements while effectively using both technical and human resources to maximize benefit and reduce unnecessary cost.

Filed Under: Business and Security, National and State Privacy/Security Law, PCI · Tagged With: ,

Nevada’s New Privacy Law

July 10, 2009 by · 1 Comment

SB 227 was signed into law by Governor Gibbons and goes into effect in January 2010.  Simply stated, the law requires data collectors (companies and government entities quite frankly) who accept credit cards for payment of goods and services to be compliant with PCI-DSS.  In addition, it requires personally identifiable information be encrypted when transmitted electronically (except by fax over POTS) and on storage devices that leave the physical control of the organizations facilities.  This includes laptops, thumb drives, CD/DVD’s, etc.

The good:

The intent is clearly to protect personally identifiable information.  Taking steps to encrypt personal information in transit and on devices that leave the facility is a good thing.   The legislation also defines encryption as that which has been adopted by an established standards setting body.  Previously, the legislation just said “encryption” so I suppose someone could have used a Caesar cipher and called it good.   This enhancement goes a long way quite frankly as standards tend to change over time.  This definition keeps things current without having to revisit the legislation later.

Other good things is this also requires the protection of cryptographic keys which makes sense.  It also protects telecommunication providers who serve only to provide the network conduit.

The bad:

The inclusion of PCI compliance in subsection 1 was ultimately a bad amendment to this piece of legislation.  It’s not that I think PCI is a bad thing, I think it’s great.  The problem is that this is already an industry standard with an economic incentive to comply… the loss of credit card processing capability for a business.  While there are a number of really good controls associated with PCI, they apply to credit card information and don’t apply to other sensitive data elements.  I’m not a big fan of “spot” security and to legislate that requirement for a specific industry is an exercise in applying buzzwords.

The big problem I have with this legislation is the “or” statement between subsections 1 and 2.  The PCI component was just tacked onto the top as an amendment and created a loophole in the law, in my own, completely non-lawyerly opinion.  If you’re PCI compliant then subsection 2 does not apply because the law says that subsection 2 (encryption) only applies for companies that aren’t covered by subsection 1 (PCI).

Keep that in mind and consider this scenario.  A company collects credit cards but segments their credit card devices, applications and storage away from the rest of the company network.  This PCI network complies with PCI-DSS.  Their other network contains HR data, payroll data and the like.  They don’t have really great controls in place for these areas.  The question is, does the company still enjoy safe harbor under the law because they are PCI compliant?  By letter, yes… by spirit no.

Conclusion:

Certainly the intent was to have organizations be responsible with personally identifiable information.  In fact, I think if companies don’t apply sound security safeguards and controls to all of their PII then they are negligent and safe harbor shouldn’t apply at all.  However, it sure would be nice if the legislature would turn the “or” statement into an “and” statement.  Maybe at the next legislative session.

Whether granting safe harbor to any organization is a good thing or not is another argument altogether but ultimately, this is going to be a trend across all States and may be just the beginning of greater security legislative obligations.  Protecting sensitive data is never a bad thing.  Ultimately, the big takeaway here is organizations have an obligation to protect the personal information they are entrusted with and those efforts should be taken seriously.

Filed Under: National and State Privacy/Security Law · Tagged With: , ,
Newer Posts »