By John P. Hutchins Troutman Sanders LLP April 17, 2013 In-House Counsel’s Top Concern: Does Our Company’s Data Security Measure Up? By John P. Hutchins Troutman Sanders LLP April 17, 2013
What Is In-House Counsel’s Top Concern? More than half say they Data Security Inhousecounsel.com, December 2012 “Data thieves “honing in on” the “retail bullseye” Fox Business, February 2013 Retail accounted for 45% of total breaches in ‘12 15% year over year increase from 2011
Retailer Breach Examples Barnes & Noble - 2011 Hackers attack PIN Pad Mobile Devices at POS 63 stores Steal Card and PIN data Zappos – 2012 24 million customers names, billing addresses, phone numbers, truncated credit card numbers and “cryptographically scrambled” passwords
Retailer Breach Examples Subway and other unnamed retailers Card data of 80,000 customers Millions of dollars in unauthorized purchases from 2008 to May 2011 Hackers, all 20-something Romanian nationals, infiltrated more than 200 U.S.-based merchants’ point-of-sale systems after scanning the Internet for vulnerable POS systems
Retailer Breaches Common What Can Be Done? Develop Information Security Program Including regular Security Audits
Some Laws Requiring Information Security Program Old Regime – Only Case Law Case law recognizes a cause of action for public disclosure of private facts. Prove three prongs: (1) facts were publicly disclosed, (2) the facts disclosed were private facts, (3) the disclosure would offend a reasonable person of ordinary sensibilities. New regime – Statutory Framework. Information Security Breach Laws Immediate notice when customer information may have been breached.
Mass Reg 201 – Requirement of “Information Security Program” 2008 It is a legal obligation It is a defense to liability It is (or will soon be) contractually required by your business partners It actually helps improve data security
Nothing New Under the Sun GLB security regulations (Fed, OTC, FDIC, OCC) – 2001 GLB security regulations (FTC) – 2002 FTC enforcement actions – 2002–present HIPAA security regulations (HHS) – 2003 (and recent amendments) Oregon (as a safe harbor) – 2007 AG enforcement actions and developing case law Argentina, Austria, EU Data Protection Directive, Iceland, Italy, Netherlands, Norway, Philippines, Poland, Portugal, Spain
What is a Security “Program?” A security “policy” is NOT a security “program” An e-mail policy, a password policy, or any other policy is not, by itself, a security program Security “controls” are NOT a security “program” Firewalls, virus detection software, encryption capabilities, and other security controls do not, by themselves constitute a security program Compliant program may include all of the above
Where Do I Start? Start with the concept that security is relative E.g., the security needed for launching nuclear missiles is different than the security needed for running a retail operation Then, assume – You have had a security breach, You have been sued in a class action, and You are on the witness stand, being grilled by the plaintiff’s attorney about “why” you did, or did not, implement particular security controls Consider How you answer those questions, and What documentation you have to back up those answers!
Who Can I Get to Help? It requires an interdisciplinary effort between -- Security professionals Lawyers Neither can do the whole project without the other Typically it should be either – A two-stage project (security analysis followed by legal analysis) A joint lawyer / security professional project
Building a Comprehensive Security Program It must be in writing “If it’s not in writing, it doesn’t exist” It must be risk-based It consists of – A process of risk assessment and evaluation, and Implementation of appropriate security controls
Basic Requirements Understand the Data Risk assessment Risk mitigation Evaluate risks and vulnerabilities in context of company’s environment Risk mitigation Implement reasonable and appropriate security controls to protect against reasonably anticipated threats or hazards to security of data
Risk Assessment Risk assessment is the foundational element in the process of achieving compliance Law does not prescribe a specific risk assessment methodology Numerous methods of performing a risk analysis – no single method or “best practice” guarantees compliance Outcome is a critical factor in assessing whether a security control is reasonable.
Risk Assessment = Audit Start with Understanding Your Data What Do We Collect? How (where and by whom) do we collect it What do we do with it?
Risk Assessment = Audit What Do We Collect? cc data, name, address (including zip?), telephone, email address, purchase history, promotional history How (where and by whom) do we collect it POS, e-commerce website, loyalty card program Handheld or other mobile devices, PIN pads, registers, third party service providers What do we do with it? Marketing, sharing with third parties? Storage (how long), disposal
Sample Questions Is the data entered into an electronic storage system? If so, what system is it entered into? Who manages that system? Retailer or an outside vendor?
Sample Questions What use is made of the data? How long is the data stored? What data retention plans are in place with regard to assuring that the data is kept only as long as it is needed If customers “opt-in” by filling out a paper card, are they ever later given the right to “opt-out?” How is this implemented?
Sample Questions What administrative, physical and technical security safeguards are in place to protect the data that is electronically stored? For instance: How is access controlled? Is access limited by password? Is remote access possible? Are passwords extinguished once an employee with access is terminated? What is the process for this?
Sample Questions With regard to credit card transactions Do we collect zip codes? Is that ok in the states where we do business? Is the card number truncated automatically at the time the card is swiped? Is the full card number stored anywhere, even temporarily? Is there a time limit on how long is the card data (name and truncated card number) is maintained?
Sample Questions What administrative, physical and technical security safeguards are in place to protect the data that is electronically stored? For instance: How is access controlled? Is access limited by password? Is remote access possible? Are passwords extinguished once an employee with access is terminated? What is the process for this?
Sample Questions What is the security infrastructure for the system(s) where this data is stored? Is the data stored in one place or is it duplicated to more than one system? Is it stored onsite or hosted in a data center? Do third parties have physical access to our space? Is there technical security promised by the data center at the point of interconnection? What’s the disaster prevention and recovery environment?
Vender Assessment Assessment of Vendors is Part of an Overall Information Security Program Is Your E-Commerce Vendor PCI Compliant? Do Your Outside Vendors use any other particular standard by which they measure their security? ISO 27001 SOC 1, 2 or 3 (formerly SAS 70/SSA SSA 16)
Assess the Threat Threat – anything with potential to cause harm Human threats – e.g., hackers, dishonest employees Environmental threats – e.g., fire, power outage, static electricity Natural threats – e.g., flood, earthquake, tornado Technical threats – e.g., virus, worm, spyware, SQL injection
Assessment the Threat Vulnerability – a flaw or weakness that allows threat to succeed in causing harm Impact – extent of the resulting harm Risk = likelihood that a threat will exploit a vulnerability and cause harm
Elements of a Risk Assessment Define the scope of the effort – systems, processes, data Identity the threats Identify the vulnerabilities (flaws or weaknesses) Assess current security measures Determine likelihood of threat exploiting a vulnerability Determine potential impact of threat occurrences
Elements of a Risk Assessment Determine level of risk – likelihood and magnitude balanced against existing controls Recommend controls to reduce risk to acceptable level Document the risk analysis See NIST sp800-30
Some Risk Assessment Sources Risk Management Guide for Information Technology Systems; NIST Special Publication 800-30, http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf HIPAA Security Standards: Guidance on Risk Analysis; Office for Civil Rights (OCR), Draft, May 7, 2010 www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance.pdf Risk Assessment Standard: ISO/IEC 27001:2005
Risk Mitigation – Security Controls Types of controls Physical Technical Administrative Focus of controls Preventive Detective Responsive
Common Legally-Required “Categories” of Security Controls Physical controls Facility and equipment Media Technical controls Access controls Identification and authentication System configuration and change management System and information integrity Data communications protection Maintenance System activity monitoring Administrative Controls Personnel security Employee awareness and training Backup and disaster planning Incident response planning
Beware of Non-Risk-Based Controls: A New Trend? There are some state law exceptions to risk-based controls Examples include -- Encryption – CA, MA, MD, NV, etc. Firewalls – MA Virus software – MA Patch management – MA Important to address these legal requirements as well
Evaluation and Assessment Continually monitor the effectiveness of the program Include training as critical aspect of program Regularly review, reassess, and adjust the program
John P. Hutchins john. hutchins@troutmansanders John P. Hutchins john.hutchins@troutmansanders.com (404) 885-3460 John represents businesses in all types of commercial litigation, and also in various types of transactions involving information technology, intellectual property and privacy and data security. He leads the firm’s Information Management Team. John's 20 years of litigation experience runs the gamut in subject matter, from eminent domain, to vintage race cars, to death penalty habeas corpus, but he has particular expertise in cases involving computer hardware and software development projects, government procurement, protection of trade secrets and proprietary business information, the Internet and e-commerce, privacy and data security, cloud computing, trademark and copyright infringement, restrictive covenants and breach of fiduciary duty.