Privacy Breach vs. Security Breach The Great Lakes InfraGard Conference Securing Our Critical Infrastructures June 20, 2012 Keith A. Cheresko Principal,

  • View
    217

  • Download
    2

Embed Size (px)

Text of Privacy Breach vs. Security Breach The Great Lakes InfraGard Conference Securing Our Critical...

  • Slide 1
  • Privacy Breach vs. Security Breach The Great Lakes InfraGard Conference Securing Our Critical Infrastructures June 20, 2012 Keith A. Cheresko Principal, Privacy Associates International LLC
  • Slide 2
  • Purpose Explore the sometimes murky and confusing world of data breaches Shed light on the differences and similarities of privacy and security breaches. Leave you with a better understanding of the environment in which we all operate Provide actionable ideas to help prevent breaches and help increase the security for data under our control. 2
  • Slide 3
  • Agenda Terminology Background Governing Rules Practical Suggestions Questions & (hopefully) Answers 3
  • Slide 4
  • Terminology Personal - of, relating to, or affecting a particular person: private, individual Webster Personal Information (PI) - data of, relating to, or affecting a particular person Personally identifiable Information (PII) - data that can be tied to a unique person some of which has obtain defined legal protection (information relating to an identified or identifiable individual) 4
  • Slide 5
  • Background 5
  • Slide 6
  • Statistics As of June 16, Privacy Clearing House database lists: 562,242,283 records from 3136 data breaches made public from 2005 to June 2012 18,537,734 records in their database from 264 breaches made public so far in 2012 6,563,454 records in database from 16 breaches made public in June alone half reporting unknown amounts 6
  • Slide 7
  • Statistics The Verizon 2012 Data Breach Investigations Report indicates: 855 incidents resulting in 174,000,000 compromised records 7
  • Slide 8
  • Statistics The Ponemon Institutes 2011 Cost of Data Breach Study for US-based companies reports: $ 194 the average cost per compromised record and $5,500,000 average in organizational costs per event 8
  • Slide 9
  • Is a Privacy Breach Different than a Security Breach? 9
  • Slide 10
  • Privacy vs. Security To answer, first consider the difference between privacy and security Privacy relates to giving an individual some level of control over his personally identifiable information (PII) Definitions of PII vary, which we will discuss later To give the individual some control, privacy is concerned with matters such as choice, notice, access, data quality, and security as it relates to PII Data security is concerned with the safeguarding of all data, not just PII Privacy broader than security in one sense, security broader than privacy in another sense 10
  • Slide 11
  • What is a Privacy Breach? Can relate to two situations: The unauthorized access to or acquisition of the kind of PII specified by an applicable law (security of PII) The failure to live up to obligations made with respect to non-security related aspects of privacy (notice, choice, access, etc.) 11
  • Slide 12
  • What is a Security Breach? The unauthorized access to or acquisition of anything proprietary: Buildings, facilities other physical plants, Computer equipment Product Inventory Confidential or secret information Trade secrets Intellectual property Proprietary items Financial information Data in paper or electronic data Personal information of consumers, employees, etc. Customers lists 12
  • Slide 13
  • Should I worry? Virtually any organization handling PI has the potential to experience a breach of data (personal or other type) security. For example, consider the cross section of reported breaches: Retailers Michaels Stores, Macys St. Louis Hospitality/food and beverage Five Guys, Hannaford Bros. Education Institutions University of North Florida, University of Virginia Healthcare Providers Phoenix Cardiac Surgery, South Shore Hospital, Charlie Norwood V.A. Medical Center, Financial Institutions Citi, U.S. Federal Retirement Thrift Saving Plan 13
  • Slide 14
  • Who is affected? Payment Processors WHMCS, Heartland Payment Systems Professional Service Providers Law Firms, Accountants, Auditors Governmental Entities and Agencies Office of the Texas Attorney General, City of New Haven, New York State Office of Children and Family Services Internet Service Providers LinkedIn, eHarmony, Utilities and on and on and on --- 14
  • Slide 15
  • Consequences of a breach? Depending on the nature, sensitivity, type and volume of data or other assets compromised it may mean: Loss of Intellectual property Possible ID theft Damage to organizations reputation Legal actions regulatory and consumer Operating and operational inefficiencies Increased operating costs Organization freeze-up/paralysis Lost business from consumer churn business termination Adverse impact on market valuation 15
  • Slide 16
  • What Are the Governing Rules? 16
  • Slide 17
  • U.S. Federal Laws: Privacy and Information Security The Federal Trade Commission Act The Gramm Leach Bliley Act The Health Information Portability and Accountability Act of 1996 Health Information Technology for Economic and Clinical Health Family Education Rights and Privacy Act of 1974 Driver's Privacy Protection Act of 1994 Federal Information Security Management Act of 2002 Fair and Accurate Credit Transactions Act 17
  • Slide 18
  • Electronic Communications Privacy Act Telephone Consumers Protection Act of 1991 Privacy Act of 1974 Computer Security Act of 1987 E Government Act of 2002 Children's Online Privacy Protection Act of 1998 Children's Internet Protection Act Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 U.S. Federal Laws: Privacy and Information Security 18
  • Slide 19
  • FTC and Consumer Data The FTC is empowered through Section 5 of the Federal Trade Commission Act to address: unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce As noted earlier the failure to live up to ones own privacy policy may be deemed a deceptive practice leading to a privacy breach. Also failing to provide adequate data security may be considered an unfair practice leading to a privacy breach. 19
  • Slide 20
  • FTC and Consumer Data FTC expects organizations to provide physical, technical, and administrative security for consumer personal information FTC does not expect maximum available security rather security should be reasonable and appropriate to: Organizations size and complexity The nature and scope of its activities Sensitivity of the PI Risk assessments should be conducted to determine areas of greatest risk and reasonable safeguards must be implemented in light of those findings. 20
  • Slide 21
  • Gramm-Leach-Bliley (GLBA) Financial Data Security: Interagency Guidelines Law required agencies to adopt security regulations relating to physical, technical, and administrative safeguards such as the unauthorized access to, or use of, customer information. Results - Interagency Guidelines Establishing Standards for Safeguarding Customer Information. Require written information security plans. The plans must assess, manage, and control threats that could result in unauthorized disclosure of information. Encourage adoption of measures appropriate to their circumstan ces 21
  • Slide 22
  • FTC Safeguards Rule Design a program to protect against unauthorized access to, or use of, customer information that could result in substantial harm or inconvenience to customers Designate coordinator(s) for the program Conduct a risk assessment identify internal and external risks to customer information and assess the sufficiency of existing safeguards to control the risks Design and implement safeguards to control the identified risks 22
  • Slide 23
  • FTC Safeguards Rule Regularly test the effectiveness of the safeguards Oversee service providers Select and retain service providers capable of maintaining appropriate safeguards Require service providers to implement and maintain safeguards Evaluate and adjust the program in light of regular testing and monitoring, material changes in business, or other circumstances that have a material impact on the program 23
  • Slide 24
  • Protected Health Information HIPAA, HITECH and the HIPAA Security Rule establish national standards for the protection of individuals electronic personal health information in the hands of covered entities HIPAA requires appropriate administrative, physical, and technical safeguards, but includes much more specific mandate under the Security Rule HITECH amendments to HIPAA apply the HIPAA Security Rule directly to business associates. HHS can audit business associates for compliance and impose civil and criminal penalties (up to $1.5m) and State AGs can bring separate actions 24
  • Slide 25
  • FERPA, DPPAO FISMA and FACTA Family Education Rights and Privacy Act of 1974 (limits disclosures of educational records maintained by agencies and institutions that receive federal funding) Driver's Privacy Protection Act of 1994 (limits disclosures of personal information in records maintained by state departments of motor vehicles) Federal Information Security Management Act of 2002 (requires federal agencies to develop, document and implement agency-wide program to provide information security) Fair and Accurate Credit Transacti