Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures Presentation to the Greater Washington, DC Chapter of ARMA International.

Similar presentations


Presentation on theme: "Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures Presentation to the Greater Washington, DC Chapter of ARMA International."— Presentation transcript:

1 Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures Presentation to the Greater Washington, DC Chapter of ARMA International Wednesday, March 21, 2007 Bruce H. Nielson

2 Outline of Presentation Data Privacy and Security Breaches, Problems and Risks Data Security Breach Incidents Additional Risks Overview of Applicable Laws and Regulations Federal International State Risk Mitigation Measures Human Resources-related Measures Vendor/Service Provider-related Measures Technological Measures Q & A

3 Data Privacy and Security Breaches, Problems and Risks 104,137,499 Total number of records containing sensitive personal information estimated to have been involved in security breaches since Jan 2005 – probably a significant underestimation http://www.privacyrights.org/ar/ChronDataBreaches.htm Current and recent headlines

4 Data Privacy and Security Breaches, Problems and Risks (cont.) TJX Says Data Breach Worse than Previously Believed Ongoing probe shows it happened almost a year earlier than first thought, as far back as July 2005 TJX still hasn't disclosed the number of shoppers that may have been affected by the breach; analysts believe the number to be in the tens of millions Comerica Bank is reissuing cards to its customers whose account information was compromised in the TJX breach

5 Data Privacy and Security Breaches, Problems and Risks (cont.) Hack Attack Forces Texas A&M To Change 96,000 Passwords Texas A&M University is forcing 96,000 students, faculty, and staff to change their passwords after a hacker attempted a network break-in The university's computer users can get updated information about the break-in and the ongoing investigation at a University web site. University officials are directing people to the web site for information on how to safeguard personal information

6 Data Privacy and Security Breaches, Problems and Risks (cont.) University of Idaho Put Staff Data on Web Personal information for about 2,700 University of Idaho employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused A university data file was mistakenly included along with a report from the UI's internal research department that was posted at the department's Web site. It contained information including names, birthdates and Social Security numbers for about 2,700 university employees, but did not include any personal financial account numbers

7 Data Privacy and Security Breaches, Problems and Risks (cont.) CD with Medical Data of 75,000 is Found A missing CD containing confidential medical and personal information on 75,000 Empire Blue Cross and Blue Shield members was recovered Wednesday A spokeswoman for a managed care company that monitors payments for mental health and substance abuse cases of insurers, said the company received a telephone call Wednesday morning saying that the CD was delivered by mistake to a residence in the Philadelphia area. The CD had been missing since January No way to track whether copies of the CD were made

8 Data Privacy and Security Breaches, Problems and Risks (cont.) PC, Phone Home Several years ago, Bob installed SETI@home on his wife's laptop, which was stolen from the couple's Minneapolis home on Jan. 1SETI@home Annoyed at the break-in – and alarmed that someone could delete the screenplays and novels that his wife, Sue, was writing – Bob monitored the SETI@home database to see if the stolen laptop would talk to the Berkeley servers. The laptop checked in three times within a week, and Bob sent the IP addresses to the Minneapolis Police DepartmentSETI@home Officers subpoenaed Bob's Internet service provider, to determine the address where the stolen laptop logged onto the Internet. Within days, officers seized the computer and returned it to the rightful owners

9 Data Privacy and Security Breaches, Problems and Risks (cont.) Former Fruit of the Loom Workers' Identities Compromised A security breach with a Fruit of the Loom database has left former Rabun Apparel Inc. employees on edge Word spread rapidly across the North Georgia Technical College campus Tuesday morning about how easily one could access the 1,006 names and Social Security numbers of the former employees Fruit spokesman said Tuesday evening that every possible step was being taken to purge the information from the Internet. Sometime between Tuesday night and Wednesday morning, it could no longer be accessed

10 Data Privacy and Security Breaches, Problems and Risks (cont.) Thief Stole Credit Card Numbers from Seed Site A cyber thief broke into the web site of Johnny's Selected Seeds and stole sensitive customer data, including credit card numbers; in all, 11,500 accounts were compromised. Approximately 20 of the stolen card numbers have been used fraudulently The site is now under 24-hour monitoring to prevent a recurrence; other security measures have also been implemented. Johnny's has notified all people whose account information was stolen. The initial intrusion occurred on February 4, 2007. A company official said "criminals gained access to our internal systems and gathered enough information to allow then to gain access to our web site." The FBI is investigating

11 Data Privacy and Security Breaches, Problems and Risks (cont.) Downloading from the Internet A user downloaded photos of Paris Hilton for her Windows desktop. Windows asked her to say yes to executing the file when she got it. Assuming it was just pictures, she agreed. Within a couple of hours, she knew something was wrong when her computer started to slow down to the point where she was unable to use it. Even when she rebooted, she couldn't launch programs The IT department determined she had downloaded a Trojan program along with the photo. Her downloaded photo had a malicious payload attached that used her computer to send out spam. Her computer had to be rebuilt to eliminate the program. She lost most of the day and a lot of her personal computer settings in the process

12 Data Privacy and Security Breaches, Problems and Risks (cont.) Plugging in USB drives (or any other storage devices or media) that are find lying around People's natural curiosity and desire to help were exploited by a consultant who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers

13 Data Privacy and Security Breaches, Problems and Risks (cont.) Use of unauthorized software It may be tempting to use useful-looking software that you can get free on the Internet, but these tools may carry a hidden cost. Installing them may often cause other programs to stop working and it can take a long time for your IT teams to track down the problem. More seriously, they can display unwanted ads, slow your PC down or make it less secure by letting the PC download more ads from the Internet. Most seriously, they can be infected by viruses or spyware that are intended to damage your PC or steal confidential information

14 Data Privacy and Security Breaches, Problems and Risks (cont.) Your new ID-theft worry? Photocopiers No known incidents yet, but potential is very real Most digital copiers manufactured in the past five years have disk drives to reproduce documents; copiers can retain the data being scanned If the data on the copier's disk aren't protected with encryption or an overwrite mechanism, and if someone with malicious motives gets access to the machine, sensitive information from original documents could get into the wrong hands More than half of all Americans may unknowingly put their private financial information at risk this tax season when they copy their tax returns

15 Data Privacy and Security Breaches, Problems and Risks (cont.) Instant Messaging Security Risks IM creates new avenues for the distribution of malware (viruses, worms, spyware, etc.), which can jeopardize the security of a computer network IM opens new holes through which information that is to be kept secure and confidential can be leaked IM may create invisible communications channels that operate below the radar of conventional information security measures

16 Data Privacy and Security Breaches, Problems and Risks (cont.) Wireless and Voice Over the Internet Protocol (VoIP) Security Risks Interception or capture of transmissions or packets Modification of transmissions or packets ID theft and theft of services; hijacking a VoIP call and masquerading as the intended called party Denial of service attacks that disrupt all data streams

17 Data Privacy and Security Breaches, Problems and Risks (cont.) Employees and Vendors Weak Points in Data Privacy and Security Strategy With news of another high-profile data security breach almost a daily occurrence, companies must ensure two crucial weak points their employees and third-party vendors are covered in their data privacy and security protocols Employers are responsible for employee theft of information, and may also liable if they don't ensure third-party vendors have sufficient controls in place

18 Data Privacy and Security Breaches, Problems and Risks (cont.) Most Data Breaches Traced to Company Errors Research from the University of Washington, Seattle says that organizations are more often to blame for data security breaches than outside intruders Looked at 550 data breaches that received media coverage between 1980 and 2006 Two-thirds of the breaches could be traced to lost or stolen equipment and a variety of management or employee errors Less than one-third of the breaches were the work of outside attackers

19 Data Privacy and Security Breaches, Problems and Risks (cont.) Intel Fails to Keep Antitrust Email Intel said it has not properly preserved emails related to its ongoing antitrust litigation with rival Advanced Micro Devices In a court filing, lawyers for Intel blamed human error for a number of "inadvertent mistakes" that it says resulted in certain employees failing to retain outgoing emails as required as well as some employees not receiving timely instructions to save documents

20 Data Privacy and Security Breaches, Problems and Risks (cont.) Whats the solution?

21 Overview of Applicable Laws and Regulations Federal Data Privacy and Security Laws Gramm-Leach-Bliley Act (1999) Applies to Financial institutions Protects non-public personal financial information of consumers Regulations promulgated by the banking regulators, the SEC and the FTC Has data privacy and security requirements Notice and opt-out model

22 Overview of Applicable Laws and Regulations (cont.) Federal Data Privacy and Security Laws (cont.) HIPAA – The Health Insurance Portability and Accountability Act of 1996 Applies to health care providers, health plans, and companies that receive and process health information from health care providers and health plans – so-called business associates Requires Business Associate Agreement Protects individually identifiable health information Does not apply to de-identified health information

23 Overview of Applicable Laws and Regulations (cont.) Federal Data Privacy and Security Laws (cont.) Fair and Accurate Credit Transactions Act of 2003 Prohibits all persons and entities that accept credit cards and debit cards for business transactions from printing more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction

24 Overview of Applicable Laws and Regulations (cont.) Federal Data Privacy and Security Laws (cont.) Proposed federal legislation for a data security breach notification law It's Round 2 in Congress' bid to craft federal law that would require businesses to notify U.S. consumers about computer data-security breaches. Some believe that legislation introduced in February soon could become law, given the cooperative tone of federal lawmakers. That would be a reversal from the previous few years, when members of the House and Senate could not agree on a national data-breach law, and dozens of states passed their own laws

25 Overview of Applicable Laws and Regulations (cont.) Foreign Laws EU Data Directive – Directive 95/46/EC of the European Parliament and of the Council of October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Canadian Privacy Law – An Act to Support and Promote Electronic Commerce by Protecting Personal Information that is Collected, Used or Disclosed in Certain Circumstances... Notice and opt-in model

26 Overview of Applicable Laws and Regulations (cont.) State Laws Non-disclosure of Social Security Numbers More than half of the states have laws that prohibit the disclosure of whole social security numbers without consent Data security breach notification laws Nearly three quarters of the states have laws that require notification of affected individuals in the case of a data security breach incident, along with certain remedial measures

27 Overview of Applicable Laws and Regulations (cont.) Absence of Federal Data Breach Notification Law, and Passage of State Laws, Results in...

28 Risk Mitigation Measures Human Resources-related Measures Employee background checks Employee training and education Acceptable use policies for emails, IMs, downloads, and use of the Internet and company systems and equipment Disclaimer of privacy when using company assets Appropriate monitoring of usage Appropriate actions against violators

29 Risk Mitigation Measures (cont.) Vendor/Service Provider-related Measures Background checks of vendor and service provider personnel Vendor and service provider agreements to comply, and to cause their employees to comply, with applicable laws and with vendees data privacy and security policies Indemnification from vendors and service providers against costs, losses and expenses from any data security breach or failure to comply with applicable law or vendees policies

30 Risk Mitigation Measures (cont.) Technological Measures Password protection for computers, devices, networks, documents and databases Physical security for servers, equipment, devices and data and document storage and processing areas Data encryption Internet firewalls, email filters, anti-virus software programs and meta data scrubbing programs Tracking of missing/stolen devices Data security breach response plan

31 Questions and Answers


Download ppt "Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures Presentation to the Greater Washington, DC Chapter of ARMA International."

Similar presentations


Ads by Google