Upload
itzel-coulton
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Overview
• Rising Tide of Information Security, Privacy and the Internet Regulation– Federal– State– International
• The Unified Approach – A new look at compliance for IT Managers
Int’lLaw
StateLaw
SOXFTC
US Sectoral Approach Has Led to Numerous Laws and Regulations
• Infrastructure Protection • Identify Theft Prevention• Corporate Governance and Reporting• Standards (e.g., NIST and ISO 17799)• The Payment Card Industry Data Security Standard (PCI DSS)
FISMAHIPAAGLBA
…Have Created a “Silo Approach” to Compliance
GLBA Finance Department (CFO) ComplianceProgram 1
HIPAA Human Resources/Health Care ComplianceProgram 2
State Law Compliance ComplianceProgram 3
Int’l Clinical ResearchCompliance Program 4Int'l Law
The Silo Problem:
• Multiple Compliance Efforts– Costs more money
• Multiple consultants each offering expertise in specific areas (e.g., HIPAA, GLBA, EU Data Directive, California Law)
• So multiple efforts are undertaken when essentially a single effort would suffice
– Undermine overall compliance effectiveness• Redundancy, inconsistency, lack of
centralized oversight
GLBA Consultants
HIPAA Consultants
Int’l Consultants State Law Consultants
A Unified Approach to Information Security Compliance
•Addresses all of the regulatory regimes (security, privacy and other regulatory requirements)
•One comprehensive approach
•Uses popular compliance frameworks
GLBA
• GLBA: Gramm-Leach-Bliley Act, 15 U.S.C. §§6801,6805– Resulted in Regulations for Some Agencies– Resulted in Guidelines for Others
GLBA Reach – Federal Banking Agencies
• Interagency Guidelines Establishing Standards for Safeguarding Customer Information: – The Office of the Comptroller of the
Currency (“OCC”) (Treasury); 12 C.F.R. Part 30
– Federal Reserve System; 12 C.F.R. Parts 208, 211, 225 and 263
– The Federal Deposit Insurance Corporation ("FDIC"); 12 C.F.R. Parts 408 and 364,
– The Office of Thrift Supervision ("OTS") (Treasury); 12 C.F.R. Parts 568 and 570 (security) and 573 (privacy)
GLBA Reach - NCUA, SEC, CFTC
• The National Credit Union Administration (“NCUA”); 12 C.F.R. Parts 716 (privacy) and 748 (security)
• The Securities and Exchange Commission ("SEC"); 17 C.F.R. Part 248 (SEC) (Amendment Pending)
• Commodity Futures Trading Commission; 17 C.F.R. 160.30
GLBA Scope and Amendments
SafeguardsPrivacy
Disposal
GLBA 1999 FACTA 2003
Breach
Notification
Safeguard
Expansion
TechnicalSecurity
Business Associate Management
AdministrativeSecurity
Procedures, Legal Compliance
PhysicalSecurity
HIPAA COMPLIANCE
HIPAA Requirements/Security
Federal Information Security Act of 2002 FISMA
• FISMA: Federal Information Security Act of 2002, 44 U.S.C. §3537 et seq.– Requires compliance with a set of standards federal
government information security • Federal Information Processing Standards (FIPS) • NIST Standards
• Applies to Federal information System– An information system used or operated by an
executive agency, or by another organization on behalf of an executive agency
• Applies to government contractors
FTC Authority
• Section 5 of the FTC Act (“FTCA”) permits the FTC to bring an action to address any unfair or deceptive trade practice that occur in the course of commercial activities– Deceptive trade practice is any commercial
conduct that includes false or misleading claims or claims that omit material facts
– Unfair trade practices are commercial conduct that causes substantial injury, without offsetting benefits and that consumers cannot reasonably avoid
FTC Security EnforcementFTC Security Enforcement
Based on notice of privacy practices and official statements regarding how an organization safeguards sensitive information. (e.g., In re Guidance Software Inc.
DeceptiveTrade
Practices
UnfairTrade
Practices
Practices that "threaten data security“ are unfair practices. (e.g., In re BJ’s Wholesale Club)
GLBA Safeguards
Violations of Safeguards Rule, (e.g., In re Superior Mortgage Corp.)
Enforcement/Consent Orders - FTCA
• United States v. ValueClick Inc., C.D. Cal., No. CV08-01711, stipulated final judgment approved 3/17/08
• Life is good Inc., FTC, File No. 072-3046, (1/17/08)• In re Guidance Software Inc., FTC, File No. 062 3057 (11/16/06) • In the Matter of DSW, Inc., FTC, No. 053-3096 (12/1/05)• In re CardSystems Solutions Inc., FTC, File No. 052 3148
(9/5/06) • United States v. ChoicePoint, 106-cv-0198 (N.D. GA, 2-15-
06)• In the matter of BJ’s Wholesale Club, FTC No. 042-3160
(6/16/2005)• In re Petco Animal Supplies Inc., FTC, File No. 032-
3221(11/17/04)• In re MTS Inc., FTC, File No. 032-3209, 4/12/04 (Tower Records) • In re Guess? Inc., FTC, File No. 022-3260 (6/18/03)• In re Microsoft Corp., FTC, File No. 012-3240 (8/8/02)• In re Eli Lilly and Co., FTC, No. 012-3214 (1/18/02)
FTC Enforcement - GLBA Safeguards
• In re Goal Fin. LLC, FTC, No. 072-3013, commission approval 2/19/08)
• United States v. American United Mortgage Co., No. 07C 7064, (N.D. Ill., 12/17/07) (Disposal Rule)
• In re Nations Title Agency Inc., FTC, No. 052 3117, proposed consent order 5/10/06
• In re Superior Mortgage Corp., FTC, File No. 052 3136, 9/28/05
• In the Matter of Nationwide Mortgage Group, Inc., and John D. Eubank, FTC File No. 042-3104 4/15/05
• In re Sunbelt Lending Services, FTC, File No. 042-3153, 11/16/04)
SOX and Security
• Sarbanes Oxley Act, 15 U.S.C. §§7241 and 7267
• SOX is "basically silent" on information security,
• However Information Security is implicit:• Certification of effectiveness of controls (404)• Annual assessment and report on effectiveness of the
controls (302)
• The SEC final rules • rules require management to certify that two types of
controls have been established and their effectiveness has been assessed
– Access Security – Internal Controls
SOX Standards: COSO and COBIT
•Committee on Sponsoring Organization of the Treadway Commission (COSO)
•COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance
– Integrity and Ethical Values– Commitment to Competence– Board of Directors or Audit Committee– Management Philosophy and Operating
Style– Organizational Structure– Assignment of Authority and
Responsibility– Human Resource Policies and Procedures
•COBIT (Control Objectives for Information and related Technology)
•COBIT Security Baseline: – Security Policy– Security Standards– Access and Authentication– User Account Management– Network Security– Monitoring– Segregation of Duties– Physical Security
State Breach Notice Laws Continue to State Breach Notice Laws Continue to Proliferate…Proliferate…
• Arizona (Ariz. Rev. Stat. §44-7501)
• Arkansas (Ark. Code §4-110-101 et seq.)
• California (Cal. Civ. Code §1798.82)
• Colorado (Col. Rev. Stat. §6-1-716)
• Connecticut (Conn. Gen Stat. 36A-701(b))
• Delaware (De. Code tit. 6, §12B-101 et seq.)
• Florida (Fla. Stat. §817.5681)
• Georgia (Ga. Code §10-1-910 et seq.)
• Hawaii (Hawaii Rev. Stat. §487N-2)
• Idaho (Id. Code §§28-51-104 to 28-51-107)
• Illinois (815 Ill. Comp. Stat. 530/1 et seq.)
• Indiana (Ind. Code §24-4.9)
• Kansas (Kansas Stat. 50-7a01, 50-7a02 (2006 S.B. 196, Chapter 149))
• Louisiana (La. Rev. Stat. §51:3071 et seq.)
• Maine (Me. Rev. Stat. tit. 10 §§1347 et seq.)
……with with 4 More4 More Enacted in 2007… Enacted in 2007…
• Maryland (HB 208, S 194)
• Massachusetts (HB 4775)
• Michigan (SB 309, Public Act 566)
• Minnesota (Minn. Stat. §325E.61, §609.891)
• Montana (Mont. Code §30-14-1701 et seq.)
• Nebraska (Neb. Rev Stat 87-801 et. seq.)
• Nevada (Nev. Rev. Stat. 603A.010 et seq.)
• New Hampshire (N.H. RS 359-C:19 et seq.)
• New Jersey (NJ Stat. 56:8-163)
• New York (N.Y. Bus. Law §899-aa)
• North Carolina (N.C. Gen. Stat §75-65)
• North Dakota (N.D. Cent. Code §51-30-01 et seq.)
……and and oneone this year, this year, they now total 40…they now total 40…
• Ohio (Ohio Rev. Code §1349.19, §1347 et seq.)
• Oklahoma (Okla. Stat. §74-3113.1)
• Oregon (SB 583)• Pennsylvania (73 Pa.
Cons. Stat. §2303)• Rhode Island (R.I.
Gen. Laws §11-49.2-1 et seq.)
• Tennessee (Tenn. Code §47-18-2107)
• Texas (Tex. Bus. & Com. Code §48.001 et seq.)
• Utah (Utah Code §13-44-101 et seq.)
• Virginia (SB 307)• Vermont (Vt. Stat.
Tit. 9 §2430 et seq.)• Washington (Wash.
Rev. Code §19.255.010)
• Wisconsin (Wis. Stat. §895.507)
• Wyoming (SF 53)
……With 8 More in Process.With 8 More in Process.
1. Alabama (SB 382)2. Alaska (SB 21)3. Iowa (SSB 3183)4. Kentucky (HB 553)5. Missouri (HB 2130)6. Mississippi (HB
1408) 7. S. Carolina (S 453)8. West Virginia (HB
2175)
• This Leaves only the following 2:1. New Mexico, and 2. South Dakota
Inconsistent State Breach Notice Inconsistent State Breach Notice LawsLaws
• Personal Information At a minimum, define "personal information“--as a name, in combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code --the breach of which triggers the need to notify consumers– Some include passports or other forms of federal identification
• Breach Most apply only to breaches of unencrypted electronic personal information, and require written notification after a breach is discovered– Some require notice of encryption key is breached along with
unencrypted data • Notification Most require notification if there has been, or there is a
reasonable basis to believe that, unauthorized access that compromises electronic has occurred
• Risk of Harm In some states, entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual
Inconsistent State Breach Inconsistent State Breach Laws (cont’d)Laws (cont’d)
• Enforcement Authority Most give state’s Attorney General enforcement authority.– A few provide a private cause of action
• Law Enforcement Delay Most allow for a delay in notification if a disclosure would compromise a law enforcement investigation, except Illinois
• Substitute Notice Most allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250,000 -- RI, DE, NE, OH set lower thresholds
• Security and Privacy Programs Some require implementation of safeguards to protect information security and privacy (e.g., MD)
• Safe Harbor Some provide a “safe harbor” for covered entities that maintain internal data security policies that include breach notification provisions consistent with state law or federal law such as HIPAA and GLBA. (e.g., OH,MD)
• Disposal Some Require Proper Disposal of PI (e.g., MD, MA, OR)
MN Plastic Card Security Act MN Plastic Card Security Act (Security Provisions)(Security Provisions)
• HF 1758, amends Minnesota’s data breach notification law and contains security and liability provisions.
• The security provisions took effect August 1, 2007 and apply to any “person or entity conducting business in Minnesota ”that accepts credit cards, debit cards, stored value cards or similar cards “issued by a financial institution.”
• Such companies are prohibited from retaining the following card data after authorization of a transaction: – “the full contents of a track of magnetic stripe data” (which
encompasses the “card verification value” or CVV –a unique authentication code embedded on the magnetic stripe);
– the three to four digit security code on the back of the card by the signature block (also known as CVV2); and
– any PIN verification code number (If a debit card with PIN is used, a company is prohibited from retaining the data more than 48 hours after authorization of the transaction
Merchant Security
MN Plastic Card Security Act MN Plastic Card Security Act (Liability Provisions)(Liability Provisions)
• For data breaches occurring after August 1, 2008, HF 1758 provides:– Authorize banks to file lawsuits to recover from
the merchant "the cost of reasonable actions undertaken" to respond to the breach
– If a merchant retains such data in violation of the proposed law and there was a breach of that information banks may seek the costs of
• canceling and reissuing credit cards, • closing and/or reopening accounts affected by a breach, • stop payment actions, • unauthorized transaction reimbursements and • the providing of breach notice to affected individuals
Merchant Liability
International Laws
• EU Data Protection Directive– Purpose
• To protect individuals with respect to “processing” of personal information• To ensure that personal data may be freely transferred
– Information Security (Article 17) • Appropriate technical and organizational measures to protect data against
destruction, loss, alteration, or unauthorized disclosure• Personal Information Protection and Electronic Documents Act
(PIPEDA) (Canada)– Purpose “every organization” that “collects, uses or discloses” personal
information “in the course of commercial activities” must take steps to protect individual privacy
– Security Standards• These must be made commensurate tithe the sensitivity of the information it
holds• Measures should address:
– The manner in which the information is stored – Should protect against loss or theft as well as unauthorized access, disclosure, copying
use, or modification of the data
• Others, including APEC• US Safe Harbor
Inadequacy of U.S. Protections
• Article 25. Member States to enact laws prohibiting the transfer of personal data to countries outside the EU that fail to ensure an “adequate level of (privacy) protection – US Privacy Laws Deemed Inadequate by EU
• The following methods can be used to obtain personal information from EU Countries– Data Transfer Agreement
• Bind the (U.S.) importer to provide adequate protections (Article 26)– US Safe Harbor Provisions
• Certify Compliance with Safe Harbor– Unambiguous Informed Consent
• The EU company may transfer the data if it obtains an unambiguous informed consent from every data subject before each transfer is made.
– Binding Corporate Rules• The use of internal policy rules, procedures and mechanisms to ensure
the rights of data subjects
Unified Approach To Security
Security PracticesSecurity Practices ISO 17799ISO 17799 NISTNIST HIPAAHIPAA GLBA GLBA FTCAFTCA
Administrative SafeguardsAdministrative Safeguards
Security Management Process Assigned Security Responsibility Workforce Security Management of Information Access
Security Incident Procedures Contingency Planning
Review/Evaluation X X
Contracts Security Awareness and Training
Unified Approach to Security
Security PracticeSecurity Practice ISO 17799ISO 17799 NISTNIST HIPAA HIPAA GLBA GLBA FTCAFTCA
Physical Safeguards
Facility Access Controls (Generally)
Workstation Use and Security
(Generally)
Device and Media Controls
Technical Safeguards
Access Control
Audit Controls
Integrity Controls
Person or Entity Authentication
Transmission Security
Attorn
ey-C
lient P
rivile
ge
Complia
nce P
rogra
m In
tegra
tion
Training & Change Management
IdentifyApplicable
Laws
Risk Analysis and Report
Implementation
Compliance
LegalEvaluation
Protecting Information/Achieving Compliance
Fundamental Process
• Identify assets to be protected• Conduct risk assessment• Identify and select reasonable and
appropriate controls• Implement controls• Training and awareness• Review (audit) effectiveness and
make necessary adjustments
Unified Approach Methodology
Step 2.Preliminary Awareness
Raising and Training
Step 3. Information Collection
Step 4. Perform Risk and other
Analyses
Step 5.Report of Findings and
Recommendations
Step 6.Prepare Implementation
Plan
Documentation Review
Interviews/Questionnaires
Determine Security and
Privacy Standards
Determine Applicable Laws and Regulations.
Step 1. Establish
Requirements
Data Classification and Mapping
Step 7.Implementation Program,
Provide Training
Value of Unified Approach
• The number of laws and regulations will continue to grow, making compliance even more cumbersome
• Unified approach provides compliance with multiple regulations and laws at one time
• Ability to demonstrate due diligence to Federal and state authorities, plaintiff attorneys and contract partners
Thank You
M. Peter AdlerAttorney at Law
202.220.1278Direct Fax: [email protected]
Hamilton Square600 Fourteenth Street, N.W.Washington DC 20005-2004202.220.1200Fax: 202.220.1665www.pepperlaw.com