Legal & Security Risks in Off-Network Technology

Embed Size (px)


White paper discussing the risks associated with managing off-network IT devices.

Text of Legal & Security Risks in Off-Network Technology

  • 2. Life Cycle Security for IT Assets You may republish excerpts from this eBook as long as they are accompanied by an attribution link back to This work is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unites States License. You are free to share, copy, distribute and transmit the work under the following three conditions: 1. Attribution You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). 2. Noncommercial You may not use this work for commercial purposes. Thanks for downloading this eBook. You may also share any thoughts or questions directly by emailing at: Copyright 2013 Brass Valley LLC FRONT PAGE 3. No Derivative Works You may not alter, transform, or build upon this work. To view a copy of this license, visit or send a letter to: Creative Commons, 171 Second St, Suite 300, San Francisco, CA 94105 USA w w w.B r a s s Va l l e 2
  • 3. Life Cycle Security for IT Assets One Mans Trash... The Same Mans Liability Michael Lightfoot sipped a sweating can of diet Pepsi and set it down between a pile of documents and his cell phone. His office door popped open and Christy, his secretary, leaned her head in, Mr. Lightfoot there is a Mr. Sampson here to see you. He didnt have an appointment but he is freaking out in the waiting room. Michael nodded to let him in. Bill Sampson bustled in a minute later sweating as much as the can of soda. In a frantic tone he recounted his morning. I had been at work for about an hour and I was going through emails from this weekend when a sheriff walks up. There was his badge and a big gun, with a sour look on his face. My stomach plummeted. I thought he would arrest me right then in front of my whole office. Instead he hands me a subpoena and tells me Ive been charged FRONT PAGE with what amounts to criminal negligence. I read on and find out that someone got hold of a computer that we sent out to be recycled and got a truck load of information off of it, customer credit info, employee medical records and they say Im liable. Indeed you may be, Bill, I thought. If Bill didnt dispose of his old computer equipment properly and doesnt have the evidence to back it up in court, he will be found guilty. How would I have evidence for that?, he bellowed. Am I going to jail? Will the fines bankrupt my business? Well, lets see what you have. w w w.B r a s s Va l l e 3
  • 4. Life Cycle Security for IT Assets Table of contents INTRODUCTION Laws governing the security of Off-Network Devices 7 The Undeniable Trend Toward Increasing Regulation and Enforcement 9 Off-Network Devices That Store Sensitive Information 12 Information Stored on Off-Network Devices 13 What is my Liability? 14 Ramifications of Data Breaches 18 Protecting Off-Network Devices? 21 HOW TO GET STARTED 25 About Brass Valley 26 About Michael Lightfoot 26 Footnotes FRONT PAGE 5 27 w w w.B r a s s Va l l e 4
  • 5. Life Cycle Security for IT Assets Introduction According to a Ponemon study, 70% of data breaches come from off-network equipment. This is equipment that has been decommissioned, misplaced, or stolen. However, the vast majority of corporate budgets are spent on protecting on-line assets, although the law makes no distinction between on-line and off-line. Regardless of the network status, the company bears responsibility for protecting sensitive information. 70% The global market continues to demand better and faster access to the necessary information to respond to the market changes. Consequently, organizations are continuously implementing state of the art devices and deactivating obsolete equipment. In working with computers and data security for the last 30 years at corporations such as Allstate Insurance and as attorney for Research and Development at Motorola, we witnessed this process first hand. data breaches from off-network equipment. FRONT PAGE w w w.B r a s s Va l l e 5
  • 6. Life Cycle Security for IT Assets But what becomes of that decommissioned technology? What are the legal requirements when you retire this equipment? Do you have a process for determining what data is on these devices? How do you securely and properly dispose of these devices? What could you prove in a court of law and would your proof be sufficient to be admissible? Every person within the organization must have an increased awareness of the threat to data security. The threat is real and takes many forms including: Consumer fraud through identity theft Exploding corporate espionage intent on embarrassing your organization Disgruntled employees Organized crime State sponsored spying in search of financial and/or competitive advantage The dirty little secret is that most breaches are occurring off-network. FRONT PAGE Headlines such as those involving the NSA and data security privacy are seen daily and are usually related to on-line activities. The dirty little secret is that most breaches are occurring off-network. Think about it, if you really wanted to acquire sensitive data, would you rather attack the company where they have their highest level of defense or would you rather attack where they are weakest? w w w.B r a s s Va l l e 6
  • 7. Life Cycle Security for IT Assets Laws governing the security of Off-Network Devices Dependent on your industry, the laws which govern how off-network devices are managed could include: HIPAA - Healthcare Sarbanes-Oxley Financial services EPA regulations Environmental regulations Federal Communications Commission regulations Broadcast providers, phone service providers PCI regulations - Credit card data FDA (21 CFR Part 11) - Pharmaceuticals Gramm Leach Bliley Banking PII - Personally identifiable information** 1 ** For legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the legal term is being used. FRONT PAGE any information that can be used to distinguish or trace an individuals identity, such as name, social security number, date and place of birth, mothers maiden name, or biometric records; and w w w.B r a s s Va l l e 7
  • 8. Life Cycle Security for IT Assets 2 any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. So, for example, a users IP address as used in a communication exchange is classified as PII regardless of whether it may or may not on its own be able to uniquely identify a person. State-by-state laws Federal legislation As you can see sometimes regulations may overlap. For example a Healthcare agency that processes credit cards may be governed under both HIPAA and PCI regulations. FRONT PAGE w w w.B r a s s Va l l e 8
  • 9. Life Cycle Security for IT Assets The Undeniable Trend Toward Increasing Regulation & Enforcement Governments at the State and Federal levels have recognized the growing exposure related to information security. As a result, to combat these threats, there are growing mandates to control and access our data. Evidence of this trend is that many of these mandates are finding their way in legislation not originally intended to address data protection. EXAMPLE 1 Lets take a look at what has happened in the Healthcare industry with HIPAA, which is the first of many industries to be effected by this type of regulation in the near future. Under the American Recovery and Reinvestment Act of 2009, commonly known as the Stimulus Bill, States Attorneys General were empowered to prosecute HIPAA violations. So what was once only a Federal violation has now become a violation at both the Federal and State level. 1 FRONT PAGE w w w.B r a s s Va l l e 9
  • 10. Life Cycle Security for IT Assets EXAMPLE 2 In March, 2013 the U.S. Department of Health and Human Services (HHS) moved forward to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Their Omnibus Final Rule greatly enhanced a patients privacy protections, provided individuals new rights to their health information, and strengthened the governments ability to enforce the law. The Omnib