Presentation on theme: "By John P. Hutchins Troutman Sanders LLP April 17, 2013"— Presentation transcript:
1By John P. Hutchins Troutman Sanders LLP April 17, 2013 In-House Counsel’s Top Concern: Does Our Company’s Data Security Measure Up?By John P. HutchinsTroutman Sanders LLPApril 17, 2013
2What Is In-House Counsel’s Top Concern? More than half say they Data SecurityInhousecounsel.com, December 2012“Data thieves “honing in on” the “retail bullseye”Fox Business, February 2013Retail accounted for 45% of total breaches in ‘1215% year over year increase from 2011
3Retailer Breach Examples Barnes & NobleHackers attack PIN Pad Mobile Devices at POS63 storesSteal Card and PIN dataZappos – 201224 million customersnames, billing addresses, phone numbers, truncated credit card numbers and “cryptographically scrambled” passwords
4Retailer Breach Examples Subway and other unnamed retailersCard data of 80,000 customersMillions of dollars in unauthorized purchases from 2008 to May 2011Hackers, all 20-something Romanian nationals, infiltrated more than 200 U.S.-based merchants’ point-of-sale systems after scanning the Internet for vulnerable POS systems
5Retailer Breaches Common What Can Be Done?Develop Information Security ProgramIncluding regular Security Audits
6Some Laws Requiring Information Security Program Old Regime – Only Case LawCase law recognizes a cause of action for public disclosure of private facts.Prove three prongs: (1) facts were publicly disclosed, (2) the facts disclosed were private facts, (3) the disclosure would offend a reasonable person of ordinary sensibilities.New regime – Statutory Framework.Information Security Breach LawsImmediate notice when customer information may have been breached.
7Mass Reg 201 – Requirement of “Information Security Program” 2008It is a legal obligationIt is a defense to liabilityIt is (or will soon be) contractually required by your business partnersIt actually helps improve data security
8Nothing New Under the Sun GLB security regulations (Fed, OTC, FDIC, OCC) – 2001GLB security regulations (FTC) – 2002FTC enforcement actions – 2002–presentHIPAA security regulations (HHS) – 2003 (and recent amendments)Oregon (as a safe harbor) – 2007AG enforcement actions and developing case lawArgentina, Austria, EU Data Protection Directive, Iceland, Italy, Netherlands, Norway, Philippines, Poland, Portugal, Spain
9What is a Security “Program?” A security “policy” is NOT a security “program”An policy, a password policy, or any other policy is not, by itself, a security programSecurity “controls” are NOT a security “program”Firewalls, virus detection software, encryption capabilities, and other security controls do not, by themselves constitute a security programCompliant program may include all of the above
10Where Do I Start? Start with the concept that security is relative E.g., the security needed for launching nuclear missiles is different than the security needed for running a retail operationThen, assume –You have had a security breach,You have been sued in a class action, andYou are on the witness stand, being grilled by the plaintiff’s attorney about “why” you did, or did not, implement particular security controlsConsiderHow you answer those questions, andWhat documentation you have to back up those answers!
11Who Can I Get to Help?It requires an interdisciplinary effort between --Security professionalsLawyersNeither can do the whole project without the otherTypically it should be either –A two-stage project (security analysis followed by legal analysis)A joint lawyer / security professional project
12Building a Comprehensive Security Program It must be in writing“If it’s not in writing, it doesn’t exist”It must be risk-basedIt consists of –A process of risk assessment and evaluation, andImplementation of appropriate security controls
13Basic Requirements Understand the Data Risk assessment Risk mitigation Evaluate risks and vulnerabilities in context of company’s environmentRisk mitigationImplement reasonable and appropriate security controls to protect against reasonably anticipated threats or hazards to security of data
14Risk AssessmentRisk assessment is the foundational element in the process of achieving complianceLaw does not prescribe a specific risk assessment methodologyNumerous methods of performing a risk analysis – no single method or “best practice” guarantees complianceOutcome is a critical factor in assessing whether a security control is reasonable.
15Risk Assessment = Audit Start with Understanding Your DataWhat Do We Collect?How (where and by whom) do we collect itWhat do we do with it?
16Risk Assessment = Audit What Do We Collect?cc data, name, address (including zip?), telephone, address, purchase history, promotional historyHow (where and by whom) do we collect itPOS, e-commerce website, loyalty card programHandheld or other mobile devices, PIN pads, registers, third party service providersWhat do we do with it?Marketing, sharing with third parties?Storage (how long), disposal
17Sample QuestionsIs the data entered into an electronic storage system? If so, what system is it entered into?Who manages that system? Retailer or an outside vendor?
18Sample Questions What use is made of the data? How long is the data stored?What data retention plans are in place with regard to assuring that the data is kept only as long as it is neededIf customers “opt-in” by filling out a paper card, are they ever later given the right to “opt-out?”How is this implemented?
19Sample QuestionsWhat administrative, physical and technical security safeguards are in place to protect the data that is electronically stored? For instance:How is access controlled? Is access limited by password?Is remote access possible?Are passwords extinguished once an employee with access is terminated?What is the process for this?
20Sample Questions With regard to credit card transactions Do we collect zip codes? Is that ok in the states where we do business? Is the card number truncated automatically at the time the card is swiped? Is the full card number stored anywhere, even temporarily?Is there a time limit on how long is the card data (name and truncated card number) is maintained?
21Sample QuestionsWhat administrative, physical and technical security safeguards are in place to protect the data that is electronically stored? For instance:How is access controlled? Is access limited by password?Is remote access possible?Are passwords extinguished once an employee with access is terminated?What is the process for this?
22Sample QuestionsWhat is the security infrastructure for the system(s) where this data is stored?Is the data stored in one place or is it duplicated to more than one system?Is it stored onsite or hosted in a data center?Do third parties have physical access to our space?Is there technical security promised by the data center at the point of interconnection?What’s the disaster prevention and recovery environment?
23Vender AssessmentAssessment of Vendors is Part of an Overall Information Security ProgramIs Your E-Commerce Vendor PCI Compliant?Do Your Outside Vendors use any other particular standard by which they measure their security?ISO 27001SOC 1, 2 or 3 (formerly SAS 70/SSA SSA 16)
24Assess the Threat Threat – anything with potential to cause harm Human threats – e.g., hackers, dishonest employeesEnvironmental threats – e.g., fire, power outage, static electricityNatural threats – e.g., flood, earthquake, tornadoTechnical threats – e.g., virus, worm, spyware, SQL injection
25Assessment the ThreatVulnerability – a flaw or weakness that allows threat to succeed in causing harmImpact – extent of the resulting harmRisk = likelihood that a threat will exploit a vulnerability and cause harm
26Elements of a Risk Assessment Define the scope of the effort – systems, processes, dataIdentity the threatsIdentify the vulnerabilities (flaws or weaknesses)Assess current security measuresDetermine likelihood of threat exploiting a vulnerabilityDetermine potential impact of threat occurrences
27Elements of a Risk Assessment Determine level of risk – likelihood and magnitude balanced against existing controlsRecommend controls to reduce risk to acceptable levelDocument the risk analysisSee NIST sp800-30
28Some Risk Assessment Sources Risk Management Guide for Information Technology Systems; NIST Special Publication ,HIPAA Security Standards: Guidance on Risk Analysis; Office for Civil Rights (OCR), Draft, May 7, 2010Risk Assessment Standard: ISO/IEC 27001:2005
29Risk Mitigation – Security Controls Types of controlsPhysicalTechnicalAdministrativeFocus of controlsPreventiveDetectiveResponsive
30Common Legally-Required “Categories” of Security Controls Physical controlsFacility and equipmentMediaTechnical controlsAccess controlsIdentification and authenticationSystem configuration and change managementSystem and information integrityData communications protectionMaintenanceSystem activity monitoringAdministrative ControlsPersonnel securityEmployee awareness and trainingBackup and disaster planningIncident response planning
31Beware of Non-Risk-Based Controls: A New Trend? There are some state law exceptions to risk-based controlsExamples include --Encryption – CA, MA, MD, NV, etc.Firewalls – MAVirus software – MAPatch management – MAImportant to address these legal requirements as well
32Evaluation and Assessment Continually monitor the effectiveness of the programInclude training as critical aspect of programRegularly review, reassess, and adjust the program
33John P. Hutchins john. hutchins@troutmansanders John P. Hutchins (404) John represents businesses in all types of commercial litigation, and also in various types of transactions involving information technology, intellectual property and privacy and data security. He leads the firm’s Information Management Team. John's 20 years of litigation experience runs the gamut in subject matter, from eminent domain, to vintage race cars, to death penalty habeas corpus, but he has particular expertise in cases involving computer hardware and software development projects, government procurement, protection of trade secrets and proprietary business information, the Internet and e-commerce, privacy and data security, cloud computing, trademark and copyright infringement, restrictive covenants and breach of fiduciary duty.