440 likes | 656 Views
Privacy Today. Why It’s Driving Security And How You Can Manage It. Stephen Cobb, CISSP. Today’s Agenda. Why and how privacy is driving security What privacy laws/rules are impacting security How to manage privacy in your organization Changes you may need to make to your security
E N D
Privacy Today Why It’s Driving Security And How You Can Manage It Stephen Cobb, CISSP
Today’s Agenda • Why and how privacy is driving security • What privacy laws/rules are impacting security • How to manage privacy in your organization • Changes you may need to make to your security • Tools to help Session Time 9.00 AM-Noon, 12/10/02
Session Leader • Stephen Cobb, CISSP • Started writing [his] first computer security book, 1989 • Stephen Cobb Guide to PC & LAN Security, 1992 • National Computer Security Association, 1994-96 • Miora Systems Consulting (MSC), InfoSec Labs, 1997-1999 • Security Evangelist, Rainbow Technologies, 1999-2001 • Senior VP, Research & Education, ePrivacy Group, 2001 • Advised Federal Trade Commission in matter of Eli Lilly (prozac.com) • Author, Privacy for Business: Web Sites & Email, 2002 • Adj. Professor MSc. Information Assurance, Norwich University, 2002
3 Biggest Things in Security This Year? • The identity theft explosion • Large-scale, computer-access based, fuels consumer fears over handling of personally identifiable information (PII) by commercial and government entities • FTC action in Eli Lilly and Microsoft Passport • Companies who break privacy promises and fail to live up to security claims will face consequences (like 20 years of government monitoring) • Bugbear and other virus/worm/Trojan code • Apart from being hard to stop, they expose PII and underline the sad state of client systems today
Relationship of Privacy to Security • Complex and definition dependent • Security is about how you control access to information • Privacy is about who controls access to what information • Security is technology, privacy is policy • Security is a two-edged sword, e.g. Fired? PGP the hard drive! • Privacy is a two-sided dilemma, e.g. Don’t track me! Track my miles! • You can have security without privacy, but you can’t have privacy without security • KPMG “Managing Privacy as a Competitive Advantage” • IT security in the enterprise has traditionally served the interests of the enterprise. Privacy brings a new customer to the table: the customer. • David Brussin, CISSP, CTO, ePrivacy Group
Some Definitions Should Help • Information Privacy: • The right of individuals (customers) to determine if, when, how, and to what extent data about themselves will be collected, used and shared with others. (—Ask me who uses this definition) • Information Security: • The ability to control the confidentiality, integrity, and availability of information. • Personally Identifiable information” • Any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains, or from which identification or contact information of an individual person can be derived….includes, but not limited to: name, address, phone number, fax number, email address, financial profiles, medical profile, social security number, and credit card information.
Concerns Cannot Be Denied or Ignored Fundamentalists want more privacy rules. Pragmatists favor self-regulation. Survey of 1500 consumers by Privacy and American Business
Business Has Responded, But Slowly • So far only 51% of companies have privacy policies, even though 97% have Web sites and 53% use those sites for e-commerce • Weak sectors (retail, healthcare, manufacturing) • Stronger sector (banking, transportation) • Computer Economics Institute, March 2002 • Barely half of companies post privacy notices on their Web sites and 60% don’t monitor their Web sites to make sure they deliver the privacy that’s promised • Watchfire/PWC
Privacy Incidents = Security Incidents • Eli Lilly Prozac Email Incident • Exposed PII of prozac.com reminder service subscribers • FTC deemed this coding error to be a security failure • Imposed a settlement that lasts 20 years • State fines imposed (piggyback) • Microsoft Passport • Claim of strong security found deceptive • Even though no PII exposed • FTC settlement imposed • Fines if broken ($11K each time) • Ziff Davis • Exposed credit cards on Web • ID theft resulted • $125K to states and persons Incident Impact: Stock price takes a hit.Press “goes negative.” Brand name tarnished. Resources diverted. Opportunity costs incurred: Marketing, PR, Employees, Managers, Lawyers
Security Breaches = Privacy Breaches • Privacy breach occurs when there is exposure of personally identifiable information (PII) regardless of what caused the exposure • The controls imposed by proper security could prevent most of these breaches • E.g. Ziff Davis Media Exposed credit cards on Web: due to rogue action inside company (bypassed SOP) but security procedures should have prevented this action • E.g. Microsoft ftp site snafu: millions of names and addresses, encrypted with Zip using 4 letter password, policy and procedure could have prevented, better awareness would help • Security includes proper software development methodology and protocols, e.g. Eli Lilly • Company had extensive Q&A, version control, etc. • But Web/Email developers were not included
Cost of “A Damaging Privacy Incident” - Forester Research, Feb 2001 Report (www.forrester.com)
Privacy Imperatives: What You Have to Do • Privacy Laws (over 30 Federal, more State): • COPPA (kids on the Web) • HIPAA (covers health care organizations and more) • GLBA (covers many finance-related companies) • FTCA? FTC’s mandate to act on “deceptive practices” • Privacy Torts: right of private privacy action • Yesterday Tammy, today Prozac in the mail box, tomorrow? • Class action privacy lawsuits are on the increase • More attorneys willing to take privacy cases on contingency basis • State Attorneys General: No downside for them • Great way to show you care about consumers • Also resonates with calls for corporate responsibility • New York AG Spitzer particularly aggressive
Why “No New Privacy Laws” Means More Cases • Familiar argument: We don’t need any more laws, we need enforcement of existing laws. Applied by Bush administration to privacy laws, so the FTC is enforcing the law • Taking action against “deceptive business practices” • If your company promises to protect PII but fails, you may be judged to broken “privacy promises” (courts of public opinion, press, law) • This has been deemed a deceptive trade practice (deceiving consumers brought unfair advantage over competitors) • Breaking of promises does not need to be intentional to be judged deceptive, does not need to be actual to be prosecuted: • “Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It is not only good business, it’s the law. Even absent known security breaches, we will not wait to act.” —FTC Chairman Timothy Muris, August 2002
4 Way Privacy Pressure = 4 X Risk • Security is no longerjust about protectingcompany secrets • Must also provideprotection for customer datathroughout thedata life cycle • Requires aneffective approach to“privacy management” State AGs FTC 4 XPressure4 X Risk Civil Suits Compliance
Security Rules for Privacy Laws • HIPAA and GLBA establish security rules • These are significant even if your organization is not a covered entity for either of these laws. • Implications of HIPAA Security Rule • Federally mandated standard for security practices • For organizations involved in health or handling health-related information, including much research data • Defines practices necessary to conduct business electronically in the health care industry today • Establishes that these are the things you should be doing today (pre-empting arguments over costs) • Provides solid basis for legal action by anyone who feels harmed by exposure of their health data • If the organization that exposed the data is not at or above the standard, defense will be difficult
HIPAA Requirements in a Nutshell • Written policies and notification of thosepolicies and practices to patients • Patient right to access his or her record,and the right to correct errors • Use of "minimum necessary" data for various functions • Designation of entity official responsible for privacy; • Training, internal safeguards, a complaint process, sanctions for violations and mitigation procedures • Compliance by "business associates" and employers acting as "plan sponsors“ • Linda Malek, Esq. Moses & Singer
HIPAA Exposure Spreads • The fact that HHS will not actively pursue violations is irrelevant • “Low-stakes" exposure exists for litigation involving a single plaintiff and an isolated breach • “High-stakes" exposure exists, such as inadvertent mass disclosure due to poor security, or failure to follow internal privacy policies/procedures, or medical data abuses or breaches by business associates • For a security violation or a breach by a business associate, plaintiffs’ lawyers might use the satisfactory assurance requirement plus a state law negligence claim by patients for wrongful disclosure of PHI • Argument is that the covered entity owed a duty of care to the patient to ensure that personal data was not negligently entrusted with a third-party who failed to take appropriate steps to safeguard it • The applicable standard of care would likely be the prudent behavior standard, which plaintiffs’ lawyers could be expected to argue is enhanced by the HIPAA statutory standard of “satisfactory assurance • Leigh-Ann Patterson, Esq. Nixon Peabody
Organizational Practices Security and confidentiality policies Information security officers Education and training programs, and Sanctions Technical Practices and Procedures Individual authentication of users Access controls Audit trails Physical security Disaster recovery Protection of remote access points Protection of external electronic communications Software discipline, and System assessment. Security Practices in the HIPAA Security Rule Use these as a check list for comparison with your current security practices.
Assign security responsibility Control of electronic media (access, backup, storage, disposal), including audit trails Limit physical access to systems and facilities Control workstation use Secure location for workstations Security awareness training for personnel Access control, including process for emergency access Either context-based, role-based or user-based access must be provided Controls must be auditable Data authentication must be provided Uniquely-identifiable user authentication, with an automatic logoff feature e.g. PIN, password, token, biometric Physical Security and Data Protection
Message authentication & integrity controls Either access controls or encryption must also be provided If a network is used, the following must be implemented: Alarm capability Audit trails Entity (user) authentication Event reporting Use of digital signatures is optional under HIPAA If used, digital signature technology must ensure: Message integrity Non-repudiation User authentication Data Transmission and Digital Signatures
PII and PHI on Open Networks • “Each organization that uses communications or networks would be required to protect communications containing health information that are transmitted electronically over open networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient, and to protect their information systems from intruders trying to access systems through external communication points.” • “When using open networks, such as the Internet or dial-in lines, some form of encryption should be employed.”
VANs And VPNs • The utilization of less open systems/networks such as those provided by a value-added network (VAN) or private-wire arrangement provides sufficient access controls to allow encryption to be an optional feature. • VPNs tunnel over the Internet and must be encrypted, as well as protected
Enterprises Need Privacy Management • Requires board level attention, commitment, action • Appointing a CPO is probably best first step • Titles may differ, but someone needs to be in charge • CPO shows you take privacy seriously • Great way to focus energy on privacy programs • But CPO quickly swamped, needs support team • CPO/Team must be inter-disciplinary • Legal • Technical • Public and government relations • Marketing • Management
External Role Industry Relations Government Relations Media and PR Privacy Community Consumer Relations CPO Has Internal and External Roles • Internal Role • Company-wide Strategy • Business Development • Product Development & Implementation • Operations • Security & Fraud • Corporate Culture • Facilitator: • with senior management support, forge long-term cross-disciplinary privacy model • problem solve for team members • assure cross-disciplinary training
The CPO’s Top Ten Challenges • Data = corporate “family jewels,” but value = use, so entire data life cycle needs to be understood and protected • Contractual protections helpful, but on their own are not enough • Security threats: hackers, partners, and the marketing dept. • New products/services requiring review of data policies • New partnerships/alliances requiring coordination of policies • Data “bumps” (combining databases, augmenting data) • M&A issues (merging differing policies) and ownership changes • Monitoring for compliance in fast-moving organizations • Consumer fears: higher than ever, media sees a good story • Legislators/regulators eager to turn that fear to their advantage
10 Action Items • Three areas: • “Know what you do.” • “Say what you do.” • “Do what you say.” Courtesy of Ray Everett-Church, CPO, ePrivacy Group and the author of “Internet Privacy for Dummies.”
“Know what you do” 1. Assess your data gathering practices - Database Administrator is your friend - Division level, department level databases? - Business development deals? Marketing plans? 2. Understand your level of "permission“ - “Legacy” databases and past practices - Past performance v. future expectations 3. Assess your defensive measures against outsiders - Network security audits 4. Assess your defensive measures against insiders - Consider centralized policies if not centralized control - Access restrictions in place and managed right
“Say what you do” (a/k/a Drafting/Revising your Privacy Policy) 5. Clearly disclose all relevant practices • Notice, choice, access, security, redress 6. Plan for changes in practices that are consistent with today’s policy • Balancing “weasel wording” with true flexibility 7. If you diverge from today’s policy, make the changes loud and clear, and move on! • State your case plainly, proudly, and let consumers make their choices
“Do what you say” 8. Get a CPO and build a privacy team • Designate point person in departments • Business Development • Product Management/Development • Operations • Designate point person for major issues • Compliance (regulatory & industry) • Legal and Regulatory 9. Implement ongoing security and data audits 10. Integrate privacy into your corporate message • Internally (education) • Externally (consumer message, industry, regulators)
10 Time-saving/Cost-saving Steps • Invest in a good data audit (self or 3rd party). • Identifies current practices, uncovers flaws, sets baseline. • Invest in a good security audit. • Cheaper before trouble occurs v. after trouble occurs • Once practices are assessed and problem areas resolved, get certified.* (e.g., TRUSTe, BBBOnline). • * know the limitations of certification programs • Keep an eye on the political/regulatory scene: AIM, DMA, ITAA, OPA. • Easiest way to stay ahead of the curve, alerted to data practices that are in media, privacy advocate cross-hairs. • No team? Recruit “clueful” staff.
10 Time-saving/Cost-saving Steps • Build privacy policies and audit rights into agreements • Partners are a weak link; privacy problems spread • Don’t be shy about bringing in help. • Think of auditors, consultants as insurance. • When in Rome... get local counsel! • Recruit company executives (internal or external) for “Privacy Board” to share responsibility, blame. • Plan for disaster. • Participate in the legislative process. • Prevention is cheaper than cure (ask kids sites). • Do us all a favor: if you have a good story, tell it! • Join the IAPO: We’re all in this together.
Plan of Attack: Target, Treat, Train • Target • Find current privacy exposures and prioritize • (Talk to department heads, map data flows, ask questions, especially of marketing) • Treat • Make necessary changes and then institute policies and procedures to prevent recurrence • Train • Make sure everyone understands the importance of privacy, especially anyone who touches PII • (This goes a lot further than customer service, e.g. contracts, programming, product development)
Privacy Incident Cost Containment Model • Identify biggest risks in key areas of the business • Fix these first • Move on to thelesser risks • While developingpolicy, procedures,training • Faster, cheaperrisk reduction than “assess-then-amend” Assess/Amend Risk PICC Time
Your Best Weapon? Training & Awareness • Security technology without security training is a waste of money (e.g. anti-virus software v. email attachments) • The single best defense is a privacy and security-savvy workforce • Documented training also creates strong defense for the organization in the event of privacy or security breach • “We trained this person not to do that, so we were not negligent” • Training required by regulations but more importantly by due diligence and standard of due care • Training can be accomplished at reasonable cost per person through technology (web, intranet, video, etc)
Training for All Employees Who Touch PII Web-basedtraining isvery cost- effective
General and Compliance Courses Third-party endorsedtraining isgood duediligence
Changes Privacy Makes to Security DataDestruction And Retention DataCollection DataSharing DataStorage DataUsage • Security must extend traditional protectionof company data to customerdata,at all stages of the data life cycle • Security must understandthat any PII leakage is a security issue • All employees must be privacy and security-savvy • Security will be askedto authenticate customers,to allow them access to their PII • Security must secure wireless and other technologies that threaten PII • Encryption for communication of PII will need to get much better • On the plus side: security may get a boost from the provable ROI you get with privacy/security spending
Tools to Help • Professional associations • E.g. IAPO • Trust authorities • E.g. TRUSTe • Free tools for policies/notices/statements • see Privacy for Business Sources • Some good conferences • privacyassociation.org • Privacy rights management software emerging • E.g. IBM’s Tivoli SecureWay Privacy Manager and Enterprise Privacy Architecture
The Good News Is: Privacy Pays • Security professionals struggle to justify security spending to CxO • ROI in security is inherently hard to figure • Company A spends $1 million and suffers no breaches. Company B spends $2 million. Was B twice as safe? How would you know? Or was A twice as lucky? And at what point do you reach diminishing returns? • But privacy has a provable ROI, for example: Royal Bank of Canada • The bank takes the position that giving customers the level of privacy they want is a competitive differentiator. • For example, it's banking division maintains in its databases a file of customers' privacy preferences. Before managers undertake any marketing initiative, they must check mailing and calling lists against that database. • "Information is really the currency of the relationship with our customers, and trust is a key part of that relationship," — Peter Cullen, CPO.
And the Grand Prize Is: $630 million • The consumer and retail portion of RBC market capitalization is $9.0 billion. • Each year, the bank surveys customers about the importance of branch services, customer service, and more than a dozen other items. • Added privacy to the list about six years ago, • Ranks in the middle of what consumers consider valuable. • Based on the survey results, the bank figures that privacy drives 7% of the demand for its products and services. • That means 7% of the $9.0 billion shareholder value of the bank's consumer business: $630 million.
Thank You! — For More Information • Email Stephen Cobb • sc at cobbassociates.com • Privacy for Business News • www.privacyforbusiness.com • Cobb Associates • www.cobbassociates.com • Join • IAPO at www.privacyassociation.org