1. Data Breach Notification Laws Time for a Pimp Slap 10/21/2011 Steve Werby Chief Information Security Officer University of Texas at San Antonio

2. Pimp slap A powerful, backhanded slap to the face 3. @stevewerby Favorite color: Cadet blue Hobby: Stalking divorcees under age 25 Favorite number: 6.0221415 10^23 Pets name: Cujo Favorite movie: Santa with Muscles Last 4 of my SSN: 6497 Place of birth: Delta City 4. Infosec since 99 - ran 2 IT consultancies 99-04 Analyst at a university Infosec since 99 - ran 2 IT consultancies 99-04 Analyst at a university, CISO at state agency @stevewerby Infosec since 99 - ran 2 IT consultancies 99-04 Analyst at a university, CISO at state agency, CISO at a university Infosec since 99 - ran 2 IT consultancies 99-04 Analyst at a university, CISO at state agency, CISO at a university^2 5. Todays menu Incidents I was involved in Data breach notification laws - what and why Issues Alternatives to achieve desired goal 6. Definitions Exposed Made accessible to unauthorized person Breached / compromised Access gained by unauthorized person Misused Used by authorized person for unauthorized purpose Potential Possible != actual 7. Getting to know you Received a data breach notification? Been involved in handling one? Investigated the incident that led to it? Participated in decision about whether to notify? Identified contact information? Wrote notification content? Handled notification logistics? Answered calls from affected individuals? Caused an incident that led to a notification? 8. Example exposuresmaybe Data sanitization vendors driver sold laptops Medical providers computers stolen Grade processing system stolen Personal info exposed to unauthorized employees Web hosting providers password DB compromised Data sanitization vendors driver sold laptops Medical providers computers stolen Grade processing system stolen Personal info exposed to unauthorized employees Web hosting providers password DB compromised 9. $ Sony - $10s of millions Those Ive been involved in 5-6 figures 10. 3rd-party forensic analysis - $222,000 Legal consultant - $100,000 Communications consultant - $50,000 Notification and credit protection - $3,700,000 Reputational damage - ? Employee time - ? $ 12/15/2010 Ohio State exposure of 760,000 individuals names, DOBs, SSNs 11. 2 recent examples TRICARE Stanford Hospital 12. Tip of the iceberg Only a tiny fraction of data exposures are disclosed 13. In the beginning Enacted in 2002, effective in 2003 Limited to data related to financial identity fraud 14. Motivation Perception that breaches of electronic data involving personally identifiable information was increasing 15. Increase in electronic breaches? Actual increase not verifiable Doesnt consider growth in electronic data storage Substantial % of identity fraud not due to electronic data Remote system accessibility & portable storage increase Breach stats combine actual and potential Has led to a cycle => More/broader/improved laws => more reporting => more individual awareness & more media coverage => improved security resources, processes, posture => more breaches discovered => more/broader/improved laws 16. Rationale Provides necessary information for affected individuals to make informed decisions to mitigate impact Negative consequences associated with disclosure will result in improved security practices 17. Boom goes the dynamite 18. Types of harm Death and physical harm Financial loss Loss of $, loss of property, property damage Credit score damage Financial identity fraud Account takeover Account creation Social harm Loss of job, damage to professional opportunities Relationships, embarrassment 19. AYCE notification Death and physical harm Murderers, violent offenders, mentally unstable People with contagious disease, speeders, drunk drivers Financial loss Robbery, burglary, vandalism (robber, burglar, vandal) Fraud, customer complaints, charlatans Social harm Insecure Wi-Fi APs, people who own binoculars Provides necessary information for at risk individuals to make informed decisions to mitigate impact Negative consequences associated with disclosure will result in reduction in risk 20. Data breach notification laws Federal laws Health records HITECH Act (via HHS and FTC) Financial records GLBA, FTC Safeguards Rule Education records FERPA Federal agencies records FISMA, OMB, VA State+ laws 46 states (MA+NC cover paper) DC + Puerto Rico + Virgin Islands International Europe Japan And more 21. Data breach notification laws 22. Data breach laws - future Federal laws Existing laws are in flux Overarching national law could be coming State+ laws Scope and other details changing Alabama, Kentucky, New Mexico, South Dakota Texas healthcare, California beefing theirs up International Europe considering expanding beyond telecom Canada Taiwan 23. Components Who the law applies to Types of data covered State/format of data covered What constitutes a breach Disclosure obligations Non-compliance ramifications Exceptions 24. Who the law applies to Entity || individual May specify type Conducts biz in state || Maintains data of residents of state || Resulted in or may result in a type of harm to a resident of the state 25. Types of data covered (First name || first initial) && last name + (SSN || DL || unique government ID) || ((Financial account # || CC # || debit card #) && (Security code || password)) || (Medical info || health insurance info) 26. State/format of data covered Electronic In some cases paper too Unencrypted || Encrypted, but key breached || Not redacted or altered SSN defined threshold || # of recipients > defined threshold || contact info is unreliable or unknown || cant identify affected individuals 31. Disclosure obligations - detail General incident overview Type of personally identifiable information Steps that will be taken to protect further unauthorized access Contact phone number (if one exists) Advice to review account information and free credit reports 32. Non-compliance ramifications Attorney general may bring action to Obtain actual damages Seek civil penalty for willful and knowing violation of notification requirements Federal agencies can sanction orgs Mandate controls Mandate audits Affected individual can seek to recover direct economic damages But not $ for the time they put into doing so 33. Exceptions Notification not required if affected individuals unlikely to experience fraud as a result of incident Some types of organization/sectors excluded 34. Data breach notification laws 35. Issues scope Not comprehensive enough Mostly electronic 30% of reported breaches involve paper; some reports indicate most breaches involve paper What about spoken wordand smoke signals? Focus almost entirely on financial identity fraud Excessive notification Only 3% of those notified of a breach experience identity fraud as a result Leads to ignoring, considering all the same, failure to take action 36. Issues ambiguity Reasonable Without reasonable delay Likely May result in harm Likely to result in harm Validity of contact information Must other states laws be adhered to? 37. Issues difficulty complying Inconsistencies Follow each states requirement or adhere to the states requirement thats limiting Incompatibilities LEA allows for delay in notification, but another state doesnt allow for that Individual / small org vs. large org 38. Issues inequitable treatment Single incident could result in Notification not required for some individuals Some individuals provided different information Some individuals less likely to receive notification 39. Issues miscellaneous Ways of identifying a person are myopic Username, email address, phone number Dont always know residency of individual Residency information not collected Residency information could be stale Phone # portability 40. Issues incentives Avoidance $ < notification $ + notification impact $? 41. Issues - rationale reality Provides necessary information for affected individuals to make informed decisions to mitigate impact Information overload useless information Many actions should be taken regularly anyway Account review, credit report review Some actions cant be taken Cant get issued new SSN or stop doing biz with gov Risk is overblown impact likelihood / liability 42. Issues - rationale reality Many incidents are people failures Affected individuals memories are short Orgs efforts like Iridium-192 Orgs efforts sub-optimized Proofs in the pudding Negative consequences associated with disclosure will result in improved security practices 43. Pimp slap 44. Alternatives 45. Plan 1 Play Angry Birds and just dont sweat it 46. Plan 2 Fine violators $100 billion 47. Plan 3 Make all information public 48. Alternatives the elements Focus on preventing unauthorized access Focus on preventing misuse of data Encourage individual behavior Improve breach notification laws 49. Prevent unauthorized access Mandate or encourage Limiting access to unauthorized personnel Limiting use to authorized purposes Protection and transmission of data Risk management Educate authorized personnel Increase personnels accountability 50. Prevent misuse of data Focus on preventing misuse of data Make it more difficult to access financial accounts Make it more difficult to create financial accounts Make it more difficult to access any accounts Increase penalties for data theft and misuse 51. Encourage individual behavior Preventive Use unique passwords everywhere Use unique usernames (I dont eat my own dog food) Protect your email account keys to the kingdom Protect the personal information you control Detective Check financial accounts routinely Check credit reports routinely 52. Improve breach notification laws Increase scope beyond financial fraud risk Oh, Canada! And include all types of orgs Increase consistency in state laws Risk-based approach Likelihood of access, likelihood of misuse, potential impact, orgs ability to mitigate, compensating controls, affected individuals ability to mitigate Compliance status infosec program, risk-based approach Sanction status Leave up to org? Or scoring system 53. Improve breach notification laws Consistent reporting format Increase information thats shared Reduce PR speak Clearly describe risk Clearly describe recommended actions 54. Improve breach notification laws Tiered notification Tier 1 track internally, make available for audit, notify internal personnel Tier 2 notify national authority and internal personnel Tier 3 notify affected individuals Notification methods To affected individual base on orgs size National database public and private views 55. Questions and discussion ? 56. Contact me @.com @stevewerby 3 blocks from 29.431057 N, 98.490522 W