A Unified Approach to Security Compliance Diebold Security Customer Advisory Council 2008

Overview Rising Tide of Information Security, Privacy and the Internet Regulation –Federal –State –International The Unified Approach – A new look at compliance for IT Managers

Int’l Law State Law SOX FTC US Sectoral Approach Has Led to Numerous Laws and Regulations Infrastructure Protection Identify Theft Prevention Corporate Governance and Reporting Standards (e.g., NIST and ISO 17799) The Payment Card Industry Data Security Standard (PCI DSS) FISMA HIPAA GLBA

…Have Created a “Silo Approach” to Compliance

The Silo Problem: Multiple Compliance Efforts –Costs more money Multiple consultants each offering expertise in specific areas (e.g., HIPAA, GLBA, EU Data Directive, California Law) So multiple efforts are undertaken when essentially a single effort would suffice –Undermine overall compliance effectiveness Redundancy, inconsistency, lack of centralized oversight GLBA ConsultantsHIPAA ConsultantsInt’l ConsultantsState Law Consultants

A Unified Approach to Information Security Compliance Addresses all of the regulatory regimes (security, privacy and other regulatory requirements) One comprehensive approach Uses popular compliance frameworks

GLBA GLBA: Gramm-Leach-Bliley Act, 15 U.S.C. §§6801,6805 –Resulted in Regulations for Some Agencies –Resulted in Guidelines for Others

GLBA Reach – Federal Banking Agencies Interagency Guidelines Establishing Standards for Safeguarding Customer Information: –The Office of the Comptroller of the Currency (“OCC”) (Treasury); 12 C.F.R. Part 30 –Federal Reserve System; 12 C.F.R. Parts 208, 211, 225 and 263 –The Federal Deposit Insurance Corporation ("FDIC"); 12 C.F.R. Parts 408 and 364, –The Office of Thrift Supervision ("OTS") (Treasury); 12 C.F.R. Parts 568 and 570 (security) and 573 (privacy)

GLBA Reach - NCUA, SEC, CFTC The National Credit Union Administration (“NCUA”); 12 C.F.R. Parts 716 (privacy) and 748 (security) The Securities and Exchange Commission ("SEC"); 17 C.F.R. Part 248 (SEC) (Amendment Pending) Commodity Futures Trading Commission; 17 C.F.R

FTC and Others Federal Trade Commission (Safeguards) State Insurance Authorities

GLBA Scope and Amendments Safeguards Privacy Disposal GLBA 1999FACTA 2003 Breach Notification Safeguard Expansion

Technical Security Business Associate Management Administrative Security Procedures, Legal Compliance Physical Security HIPAA COMPLIANCE HIPAA Requirements/Security

Federal Information Security Act of 2002 FISMA FISMA: Federal Information Security Act of 2002, 44 U.S.C. §3537 et seq. –Requires compliance with a set of standards federal government information security Federal Information Processing Standards (FIPS) NIST Standards Applies to Federal information System –An information system used or operated by an executive agency, or by another organization on behalf of an executive agency Applies to government contractors

FTC Authority Section 5 of the FTC Act (“FTCA”) permits the FTC to bring an action to address any unfair or deceptive trade practice that occur in the course of commercial activities –Deceptive trade practice is any commercial conduct that includes false or misleading claims or claims that omit material facts –Unfair trade practices are commercial conduct that causes substantial injury, without offsetting benefits and that consumers cannot reasonably avoid

FTC Security Enforcement Based on notice of privacy practices and official statements regarding how an organization safeguards sensitive information. (e.g., In re Guidance Software Inc. Deceptive Trade Practices Unfair Trade Practices Practices that "threaten data security“ are unfair practices. (e.g., In re BJ’s Wholesale Club) GLBA Safeguards Violations of Safeguards Rule, (e.g., In re Superior Mortgage Corp.)

Enforcement/Consent Orders - FTCA United States v. ValueClick Inc., C.D. Cal., No. CV , stipulated final judgment approved 3/17/08 Life is good Inc., FTC, File No , (1/17/08) In re Guidance Software Inc., FTC, File No (11/16/06) In the Matter of DSW, Inc., FTC, No (12/1/05) In re CardSystems Solutions Inc., FTC, File No (9/5/06) United States v. ChoicePoint, 106-cv-0198 (N.D. GA, ) In the matter of BJ’s Wholesale Club, FTC No (6/16/2005) In re Petco Animal Supplies Inc., FTC, File No (11/17/04) In re MTS Inc., FTC, File No , 4/12/04 (Tower Records) In re Guess? Inc., FTC, File No (6/18/03) In re Microsoft Corp., FTC, File No (8/8/02) In re Eli Lilly and Co., FTC, No (1/18/02)

FTC Enforcement - GLBA Safeguards In re Goal Fin. LLC, FTC, No , commission approval 2/19/08) United States v. American United Mortgage Co., No. 07C 7064, (N.D. Ill., 12/17/07) (Disposal Rule) In re Nations Title Agency Inc., FTC, No , proposed consent order 5/10/06 In re Superior Mortgage Corp., FTC, File No , 9/28/05 In the Matter of Nationwide Mortgage Group, Inc., and John D. Eubank, FTC File No /15/05 In re Sunbelt Lending Services, FTC, File No , 11/16/04)

SOX and Security Sarbanes Oxley Act, 15 U.S.C. §§7241 and 7267 SOX is "basically silent" on information security, However Information Security is implicit: Certification of effectiveness of controls (404) Annual assessment and report on effectiveness of the controls (302) The SEC final rules rules require management to certify that two types of controls have been established and their effectiveness has been assessed –Access Security –Internal Controls

SOX Standards: COSO and COBIT Committee on Sponsoring Organization of the Treadway Commission (COSO) COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance –Integrity and Ethical Values –Commitment to Competence –Board of Directors or Audit Committee –Management Philosophy and Operating Style –Organizational Structure –Assignment of Authority and Responsibility –Human Resource Policies and Procedures COBIT (Control Objectives for Information and related Technology) COBIT Security Baseline: –Security Policy –Security Standards –Access and Authentication –User Account Management –Network Security –Monitoring –Segregation of Duties –Physical Security

State Breach Notice Laws Continue to Proliferate… Arizona (Ariz. Rev. Stat. § ) Arkansas (Ark. Code § et seq.) California (Cal. Civ. Code § ) Colorado (Col. Rev. Stat. § ) Connecticut (Conn. Gen Stat. 36A-701(b)) Delaware (De. Code tit. 6, §12B-101 et seq.) Florida (Fla. Stat. § ) Georgia (Ga. Code § et seq.) Hawaii (Hawaii Rev. Stat. §487N-2) Idaho (Id. Code §§ to ) Illinois (815 Ill. Comp. Stat. 530/1 et seq.) Indiana (Ind. Code §24-4.9) Kansas (Kansas Stat a01, 50-7a02 (2006 S.B. 196, Chapter 149)) Louisiana (La. Rev. Stat. §51:3071 et seq.) Maine (Me. Rev. Stat. tit. 10 §§1347 et seq.)

…with 4 More Enacted in 2007… Maryland (HB 208, S 194) Massachusetts (HB 4775) Michigan (SB 309, Public Act 566) Minnesota (Minn. Stat. §325E.61, § ) Montana (Mont. Code § et seq.) Nebraska (Neb. Rev Stat et. seq.) Nevada (Nev. Rev. Stat. 603A.010 et seq.) New Hampshire (N.H. RS 359-C:19 et seq.) New Jersey (NJ Stat. 56:8- 163) New York (N.Y. Bus. Law §899-aa) North Carolina (N.C. Gen. Stat §75-65) North Dakota (N.D. Cent. Code § et seq.)

…and one this year, they now total 40… Ohio (Ohio Rev. Code § , §1347 et seq.) Oklahoma (Okla. Stat. § ) Oregon (SB 583) Pennsylvania (73 Pa. Cons. Stat. §2303) Rhode Island (R.I. Gen. Laws § et seq.) Tennessee (Tenn. Code § ) Texas (Tex. Bus. & Com. Code § et seq.) Utah (Utah Code § et seq.) Virginia (SB 307) Vermont (Vt. Stat. Tit. 9 §2430 et seq.) Washington (Wash. Rev. Code § ) Wisconsin (Wis. Stat. § ) Wyoming (SF 53)

…With 8 More in Process. 1.Alabama (SB 382) 2.Alaska (SB 21) 3.Iowa (SSB 3183) 4.Kentucky (HB 553) 5.Missouri (HB 2130) 6.Mississippi (HB 1408) 7.S. Carolina (S 453) 8.West Virginia (HB 2175) This Leaves only the following 2: 1.New Mexico, and 2.South Dakota

Inconsistent State Breach Notice Laws Personal Information At a minimum, define "personal information“--as a name, in combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code --the breach of which triggers the need to notify consumers –Some include passports or other forms of federal identification Breach Most apply only to breaches of unencrypted electronic personal information, and require written notification after a breach is discovered –Some require notice of encryption key is breached along with unencrypted data Notification Most require notification if there has been, or there is a reasonable basis to believe that, unauthorized access that compromises electronic has occurred Risk of Harm In some states, entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual

Inconsistent State Breach Laws (cont’d) Enforcement Authority Most give state’s Attorney General enforcement authority. –A few provide a private cause of action Law Enforcement Delay Most allow for a delay in notification if a disclosure would compromise a law enforcement investigation, except Illinois Substitute Notice Most allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250, RI, DE, NE, OH set lower thresholds Security and Privacy Programs Some require implementation of safeguards to protect information security and privacy (e.g., MD) Safe Harbor Some provide a “safe harbor” for covered entities that maintain internal data security policies that include breach notification provisions consistent with state law or federal law such as HIPAA and GLBA. (e.g., OH,MD) Disposal Some Require Proper Disposal of PI (e.g., MD, MA, OR)

MN Plastic Card Security Act (Security Provisions) HF 1758, amends Minnesota’s data breach notification law and contains security and liability provisions. The security provisions took effect August 1, 2007 and apply to any “person or entity conducting business in Minnesota ”that accepts credit cards, debit cards, stored value cards or similar cards “issued by a financial institution.” Such companies are prohibited from retaining the following card data after authorization of a transaction: –“the full contents of a track of magnetic stripe data” (which encompasses the “card verification value” or CVV –a unique authentication code embedded on the magnetic stripe); –the three to four digit security code on the back of the card by the signature block (also known as CVV2); and –any PIN verification code number (If a debit card with PIN is used, a company is prohibited from retaining the data more than 48 hours after authorization of the transaction Merchant Security

MN Plastic Card Security Act (Liability Provisions) For data breaches occurring after August 1, 2008, HF 1758 provides: –Authorize banks to file lawsuits to recover from the merchant "the cost of reasonable actions undertaken" to respond to the breach –If a merchant retains such data in violation of the proposed law and there was a breach of that information banks may seek the costs of canceling and reissuing credit cards, closing and/or reopening accounts affected by a breach, stop payment actions, unauthorized transaction reimbursements and the providing of breach notice to affected individuals Merchant Liability

International Laws EU Data Protection Directive –Purpose To protect individuals with respect to “processing” of personal information To ensure that personal data may be freely transferred –Information Security (Article 17) Appropriate technical and organizational measures to protect data against destruction, loss, alteration, or unauthorized disclosure Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada) –Purpose “every organization” that “collects, uses or discloses” personal information “in the course of commercial activities” must take steps to protect individual privacy –Security Standards These must be made commensurate tithe the sensitivity of the information it holds Measures should address: –The manner in which the information is stored –Should protect against loss or theft as well as unauthorized access, disclosure, copying use, or modification of the data Others, including APEC US Safe Harbor

Inadequacy of U.S. Protections Article 25. Member States to enact laws prohibiting the transfer of personal data to countries outside the EU that fail to ensure an “adequate level of (privacy) protection –US Privacy Laws Deemed Inadequate by EU The following methods can be used to obtain personal information from EU Countries –Data Transfer Agreement Bind the (U.S.) importer to provide adequate protections (Article 26) –US Safe Harbor Provisions Certify Compliance with Safe Harbor –Unambiguous Informed Consent The EU company may transfer the data if it obtains an unambiguous informed consent from every data subject before each transfer is made. –Binding Corporate Rules The use of internal policy rules, procedures and mechanisms to ensure the rights of data subjects

Unified Approach To Security Security Practices ISO NISTHIPAAGLBAFTCA Administrative Safeguards Security Management Process  Assigned Security Responsibility  Workforce Security  Management of Information Access  Security Incident Procedures  Contingency Planning  Review/Evaluation  XX Contracts  Security Awareness and Training 

Unified Approach to Security Security Practice ISO NISTHIPAAGLBAFTCA Physical Safeguards Facility Access Controls  (Generally)  Workstation Use and Security  (Generally)  Device and Media Controls  Technical Safeguards Access Control  Audit Controls  Integrity Controls  Person or Entity Authentication  Transmission Security 

Attorney-Client Privilege Compliance Program Integration Training & Change Management Identify Applicable Laws Risk Analysis and Report Implementation Compliance Legal Evaluation Protecting Information/ Achieving Compliance

Fundamental Process Identify assets to be protected Conduct risk assessment Identify and select reasonable and appropriate controls Implement controls Training and awareness Review (audit) effectiveness and make necessary adjustments

Unified Approach Methodology

Value of Unified Approach The number of laws and regulations will continue to grow, making compliance even more cumbersome Unified approach provides compliance with multiple regulations and laws at one time Ability to demonstrate due diligence to Federal and state authorities, plaintiff attorneys and contract partners

Thank You M. Peter Adler Attorney at Law Direct Fax: Hamilton Square 600 Fourteenth Street, N.W. Washington DC Fax: