Legal

You are currently browsing the archive for the Legal category.

Data Breach Trends

January 18, 2009 in Identity Theft, Legal

breach

Recently, several organizations have released data on security breaches for 2008. As you would expect, there were more reported breaches in 2008 than in 2007. Based on information from the , the trend is summarized below:

  • 2008 – 656 breaches with 35.6 million records exposed
  • 2007 – 446 breaches with 127 million records exposed
  • 2006 – 315 breaches with 20 million records exposed
  • 2005 – 158 breaches with 64.8 million records exposed

Clearly the trend indicates that more breaches are being reported with a more than 4X increase in the last four years. The question is whether this indicates an actual increase in compromised systems or an increase in the number of organizations reporting breaches.

In 2003, California became the first state to pass a data breach disclosure law. Since then, at least 43 other states have passed similar legislation requiring organizations to notify their customers in the event that their personal information is disclosed. And the federal government is considering passing similar legislation. Thus, enterprises are now required to report data breach incidents, whereas in the past this was not the case. Therefore, it would be a mistake to assume that the rise in the incident of reported data disclosure incidents is strictly due to a greater number of such incidents. It is difficult to know whether the rise is due to greater reporting requirements or an actual increase in the number of incidents.

One thing is certain; state laws requiring notification of data disclosures have lead to a wealth of information on such incidents. And organizations such as the have built web sites that track and publish information on data loss incidents. This is a positive outcome of state breach notification laws, as it will force companies to take proactive measures to secure their customers’ personal information which will help make us all more secure.

PCI DSS 1.2

October 5, 2008 in Legal, PCI DSS | 1 comment

Last week the Payment Card Industry Security Standards Council (PCI SSC) released the first update to the Data Security Standard (DSS) in more than two years. Version 1.2 of the DSS provides some much needed updates and clarifications to the 1.1 version of the document and is the official document as of October 1, 2008. While the standards council claims not to have introduced any new requirements in this version of the document, some of the changes are significant and represent more than just clarification. During a recent PCI DSS security assessment, I found the following changes to be most noteworthy:

  • Compensating Controls

The PCI DSS version 1.2 has much stricter language with regards to compensating controls. Every compensating control must be reviewed, documented and validated by an assessor annually. Furthermore, for each compensating control the Compensating Control Worksheet must be completed. These changes clearly signal the security council’s intent to make it more difficult for merchants to use compensating controls rather than meeting the requirements of the DSS.

  • WEP Encryption

WEP encryption for wireless networks may no longer be implemented for new networks after March 31, 2009. And wireless networks currently using WEP encryption must migrate to industry best practices (e.g. 802.1x) by June 2010. While these requirements are not terribly difficult to meet, merchants need to be aware of this as they roll out new wireless networks or plan to upgrade current WEP enabled WiFi networks.

  • Anti-Virus Software

Both versions 1.1 and 1.2 of the PCI DSS state that anti-virus software must be deployed on “all
systems commonly affected by malicious software (particularly personal computers and servers).” However, in version 1.2 the security council removed a note stating that viruses typically do not affect Unix-based systems and mainframes. This has led some to interpret the requirement to mean that ALL systems must run anti-virus software. However, I would argue this is not the case. The requirement does state “systems commonly affected my malicious software.” To me this would not include mainframes or i-series systems from IBM for example. One could even argue that Solaris, Apple, and Linux systems are not commonly affected by malicious software. My advice would be to run it wherever possible and practical.

  • Patch Installation

The new version of the standard provides more leeway in the patch installation process. Version 1.1 specifically required that security patches be applied within 1 month of release. The new version allows companies to apply a risk based approach which fits better into most enterprises’ vulnerability management programs and will ultimately lead better overall security. Patches can be applied to more critical systems first and less critical ones can be updated later.

  • Video Cameras

Version 1.1 of the DSS required the use of video cameras to monitor sensitive areas. The new version provides the possibility of using other access control mechanisms to monitor access to sensitive areas. Potentially this could include card keys that would provide a date and time stamp each time someone entered a data center for example. Biometric access control mechanisms could also be employed. Standard keys and keypads would NOT meet this requirement as they do not provide the ability to monitor access to sensitive areas.

  • Service Providers

Version 1.2 of the DSS provides more detailed requirements when dealing with service providers that have access to cardholder data. The merchant must maintain a list of all such service providers, ensure that the service providers are PCI DSS compliant and monitor their compliance, maintain a written contract with the service provider stating that they are responsible for the cardholder data, and establish a process when selecting service providers to perform due diligence. These requirements force merchants to work much more closely with their service providers and be aware of their service providers’ PCI DSS compliance status.

To view the new version of the PCI DSS as well as other related documents, go the official PCI SSC web site at .

A Business Guide to North Carolina’s Identity Theft Protection Act

September 17, 2008 in Identity Theft, Legal | 1 comment

Like many other states, North Carolina has enacted a data breach notification law in an effort to help protect its citizens from identity theft due to the disclosure of personally identifiable by private enterprises.  Passed in 2005, the sets out guidelines that companies must follow for the proper use, protection, and destruction of personal information.  It also outlines the steps a business must take to notify its customers, business partners and possibly the state government in the event of a breach of personal information.  If you operate a business in North Carolina and maintain personal information, whether in digital or paper form, please read on to ensure you are familiar with the law.

The law defines personal information as either a first name or first initial and a last name in combination with any of the following:

  • Social security or employer taxpayer identification numbers
  • Drivers license, state identification card or passport numbers
  • Checking account numbers
  • Savings account numbers
  • Credit card numbers
  • Debit card numbers
  • Personal Identification (PIN) Code
  • Digital signatures
  • Any other numbers or information that can be used to access a person’s financial resources
  • Biometric data
  • Fingerprints
  • Passwords

If a business stores this information in either digital or paper form, it is required to abide by the following rules in the case of unauthorized access:

  • In the case of a breach of personal information in which the business owns or licenses the information, the business must notify each person affected “without reasonable delay”.
  • In the case of a breach of personal information in which the business does not own or license the information, the business must notify the owner or licensee “immediately following discovery of the breach”.
  • The notice must include information about the breach, the type of information that was disclosed, acts taken by the business to prevent further unauthorized access and a phone number that the customer can call for assistance.
  • The notice may be written, telephonic or electronic under certain circumstances.
  • If more than 1000 notifications are made the business must also notify the Consumer Potection Division of the state Attorney General’s office.

Additionally, businesses must take the following safeguards regarding the disposal of personal information:

  • Implement policies and procedures to ensure the physical destruction of paper documents that contain personal information.
  • Implement policies and procedures to ensure the physical destruction or permanent erasure of electronic media that contain personal information.
  • Develop an official policy regarding the disposal of personal records.
  • Perform due diligence when contracting with a disposal company to ensure that they take adequate measures to properly destroy paper and/or electronic media containing personal information.

Finally, any business operating in North Carolina may not do any of the following:

  • Intentionally make known or publish to the general public an individual’s SSN.
  • Intentionally print an individual’s SSN on any card required for the individual to access products or services.
  • Require an individual to transmit their SSN over the Internet without a secure, encrypted connection.
  • Require the use of an SSN for authentication to a web site without the use of a password or PIN as well.
  • Print an individual’s SSN on any materials mailed to the individual unless required by state or federal law.
  • Sell, lease, loan, trade or otherwise disclose an individual’s SSN to a third party without written consent from the individual if it is known or should be known that the third party has no legitimate need for the information.

Businesses that violate the North Carolina IPTA can be subjected to lawsuits under North Carolina’s Unfair and Deceptive Trade Practices Act.  This, combined with the cost of notifying customers and potential loss of business due to loss of credibility, should be a wake-up call to take action to ensure your business is in compliance with this law.  Below is a list of recommendations that every North Carolina business handling personal information should undertake in order to ensure compliance:

  • Conduct an internal audit to determine the amount and type of personal information that is collected and stored as part of your business processes.  If this personal information is not required for business purposes, discontinue using it and dispose of it securely.
  • Ensure that personal data necessary for business purposes is stored securely and is only accessible to those who need to access it in order to perform their job duties.  Be sure to include your own employees’ data as this often contains personal information covered by the ITPA.
  • Develop policies and procedures for the secure collection, usage, storage and disposal of personal information.
  • Enact a training program for all employees to ensure that they are aware of the company’s policies and procedures for handling personal data.  A business can be held liable if a non-managerial employee breaks the law and he or she was not properly trained, supervised or monitored.
  • Develop an incidence response plan to address the unauthorized disclosure of personal data.  The plan should include determining the source of breach, corrective actions, mitigation plans and proper notification of those affected.

North Carolina’s ITPA is a positive step to help protect consumers from the very real threat of identity theft.  It requires businesses to take practical steps to safeguard this information and it ensures that consumers will be notified if their personal information is breached so that they can take appropriate action to protect themselves.  As a business owner, it is best to go even further than the requirements of the ITPA.  There are many other controls and safeguards that can and should be implemented to help reduce the likelihood that you may one day have to notify your customers that their personal information was disclosed due to your negligence.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved