Archive for March, 2006

Vendor or GTA Responsibility?

Friday, March 31st, 2006

Yesterday Computerworld reported of a breach that occurred at the Georgia Technology Authority (GTA) as a result of "An unpatched flaw in a ‚Äúwidely used security program.‚Äù" 

Some interesting tidbits from the article:

  • "involved a hacker who used ‚Äúsophisticated hacking tools‚Äù to break through several layers of security after accessing the server hosting the database via the software flaw"

Well, most of the widely available hacking tools are pretty sophisticated…and really require very little sophisticated knowledge on the part of the hacker using them to exploit vulnerabilities…allowing basically anyone to use them.  And, what is really meant by "several layers of security"?  Several different security products?  Or, just different features of this one "security program"? 

The vendor was not named, but the article reported the vendor had already "publicy disclosed" the vulnerability.  So, perhaps looking at CERT we can narrow it down?  The intrusion occurred "sometime between Feb. 21 and Feb. 23."  Look at the CERT vulnerability notes by date published…and the CERT technical security alerts…and the CERT technical security bulletins…hmm…definitely multiple possibilities through the bulletins…

  • "The breached server contained information on a total of eight pension plans administered by the state. The core database itself was managed by the state Employees Retirement System, though the server it was hosted on was administered by the GTA. At this point, there is no evidence that confidential information, including names, Social Security numbers and bank-account details, have been misused, Goldberg said.  Even so, the GTA is sending out letters to 180,000 affected employees for whom it has contact information, she said. The state does not have current addresses for the remaining 373,000 individuals affected and is relying on media reports and its own outreach efforts to inform them of the potential compromise of data, Goldberg said."

Well, as with past incident reports, indicating there is "no evidence" of information misuse is really not reassuring…there are virtually an infinite number of ways in which the data can be misused…most of those ways would not produce evidence…at least not right away…

Odd that the state could not find addresses on 373,000 individuals given they have their "names, Social Security numbers and bank-account details."

So…the debate continues…who is at most fault here…the security software vendor or the GTA…or both equally?  Did the vendor have good procedures in place to incorporate security into their entire SDLC…and thoroughly test before production release…their un-secure security software?  Did GTA not get the patch applied quickly enough…or did they have inadequate patch procedures?

  • "This is the second major breach involving the GTA in the past year. In April 2005, the GTA disclosed that a state employee had downloaded confidential information belonging to more than 450,000 members of the state’s health benefit plan onto a home computer."

Well…this is certainly another type of security issue altogether, but also one that is reported more and more.

  • "Since that breach, the GTA has implemented several measures to tighten security, including stricter password controls, more timely reviews of logs and alerts, more extensive employee background checks and stricter control of access confidential data, according to the GTA’s Web site."
  • Interesting, "more timely reviews of logs and alerts"

Just a few of many lessons that can be learned (again)…

  • Security product vendors need to be held to a higher standard to properly and thoroughly test their software before releasing it.  Things will still get overlooked, but hopefully many fewer.
  • Organizations should not rely upon only one security product…they should use layers of security from various vendors.
  • Organizations need to establish formally documented patch procedures and consistently follow them to ensure the most timely application possible based upon the vulnerability and the potential business impact.
  • Limit access to confidential information to only that necessary for specific groups/roles to perform job responsibilities.
  • Don’t allow entire databases of confidential information to be downloaded to mobile computing devices or employee-owned computers.  If for some reason this is necessary, strongly encrypt it.
  • Educate your personnel, on an ongoing basis and in a number of ways, about how they need to protect confidential data while they are performing their job responsibilities.
  • And so much more…

Technorati Tags

Data Breaches in Small Businesses

Thursday, March 30th, 2006

An IDG News report yesterday announced the availability of a free Better Business Bureau (BBB)customer data security kit through their "Security and Privacy — Made Simpler" website that was launched on Monday (3/27) for the benefit of small businesses, that typically do not have the resources to have a full information security program.  The report contained some interesting statistics:

  • 56% of U.S. small businesses experienced data breaches in 2005.
  • 20%  of small businesses do not use virus-scanning software for email.
  • 60% of small businesses do not protect wireless networks with encryption.

The report did not define what a data breach, so that could be a very wide range of incidents.

The Small Business Association generally defines a small business as one that has 500 – 1000 (depending on the industry) employees.  Using 999 or fewer employees as my rule of thumb, according to the U.S. Census Bureau (their range broke at 999 or less employees) there were 5,775,535 small businesses in 2003.  If the number is still the same (I imagine there are more now though), this means that based on the given percentages:

  • 3,234,300 small U.S. businesses had data breaches
  • 1,155,107 small U.S. businesses do not use virus-protection software to scan emails
  • 3,465,321 small U.S. businesses do not use encryption with their wireless networks (if all had wireless networks)

YIKES!!  However…

I’m not too surprised by these numbers; I’ve performed a large number of business partner security program reviews over the past few years, and it is still common to find small- to medium-sized organizations, as well as large organizations, with no documented information security policies or procedures, no encryption used anywhere, no wireless security, and…something missing from the report that is very common and critical…no documented business continuity (including backup and disaster recovery) plans. 

The BBB also plans to release an employee data protection toolkit later this year.

The BBB site is very new, but looking at the headings it could potentially contain very useful and interesting information as it becomes populated; e.g., "Data Breach Horror Stories" and "Current Security and Privacy News" (which are currently empty).

It would be helpful if the BBB and the others involved with the creation of the toolkit could provide some studies or statistics about the breaches that have occurred…considering how many there have been, there should be some data, even at least partial, available to learn from.

Technorati Tags

U.S. Energy and Commerce Committee Today Approved the Data Accountability and Trust Act

Wednesday, March 29th, 2006

Today the House Energy and Commerce Committee had a unanimous 41-0 vote in favor of H.R. 4127, the Data Accountability and Trust Act.  Let’s walk through the major portions of this bill; it:

  • Requires "each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information."
  • Requires the policies and procedures to cover the collection, use, sale, other dissemination, and maintenance personal information.
  • Requires the identification of an officer with responsibility for the management of information security.
  • Requires a process for identifying and assessing "any reasonably foreseeable vulnerabilities in the system" that contains personal information.
  • Requires a process for taking preventive and corrective action to mitigate against any vulnerabilities "which may include encryption of such data, implementing any changes to security practices and the architecture, installation, or implementation of network or operating software."
  • Requires information brokers to annually submit their information security policies to the FTC.
  • Requires the FTC to perform audits of information brokers who have experienced a breach.
  • Requires information brokers to allow individuals to view their corresponding information and to communicate on their website how indiiduals can accomplish this.
  • Requires information brokers to maintain documentation for when individuals dispute the accuracy of their information.
  • Requires "any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information"  following a security breach to:
    (1) notify U.S. citizens "whose personal information was acquired by an unauthorized person as a result of such a breach of security" of the breach
    (2) notify the FTC;
    (3) place a conspicuous notice about the breach on their website
    (4) in the case of a breach of financial account information of a merchant, notify the financial institution when financial account information is breached.
  • Requires notifications to "be made as promptly as possible and without unreasonable delay following the discovery of a breach of security of the system and any measures necessary to determine the scope of the breach, prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system."
  • Allows for either written or email notification (if the individual has consented to receive notification via email).
  • Requires the content of the direct notification to include "(i) a description of the personal information that was acquired by an unauthorized person;  (ii) a telephone number that the individual may use, at no cost to such individual, to contact the person to inquire about the security breach or the information the person maintained about that individual; (iii) the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and  (iv) a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft."
  • Allows for substitute notification in lieu of direct notification if the direct notification  will be "(i) excessive cost to the person required to provide such notification relative to the resources of such person, as determined in accordance with the regulations issued by the Commission"  or "(ii) lack of sufficient contact information for the individual required to be notified."
  • Require the content of substitute notification to be "in print and broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside. Such notification shall include a telephone number where an individual can, at no cost to such individual, learn whether or not that individual’s personal information is included in the security breach."
  • Requires the FTC to establish the criteria for substitute notification and general guidance for compliance with the law within 270 days after the law is enacted.
  • Requires the person required to give notification to provide consumer credit reports to each impacted individual, at no cost to the individuals, consumer credit reports from at least one of the "major credit reporting agencies beginning not later than 2 months following a breach of security and continuing on a quarterly basis for a period of 2 years thereafter."
  • Requires the FTC to post a notice of each reported security breach in a conspicuous location on the FTC website.

It is important to know the definitions of key terms within this bill; they follow:

"(1) BREACH OF SECURITY- The term `breach of security’ means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates. The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no such reasonable basis exists. Any such presumption may be rebutted by facts demonstrating that the method of encryption has been or is likely to be compromised.

(2) COMMISSION- The term `Commission’ means the Federal Trade Commission.

(3) DATA IN ELECTRONIC FORM- The term `data in electronic form’ means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.

(4) ENCRYPTION- The term `encryption’ means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.

(5) IDENTITY THEFT- The term `identity theft’ means the unauthorized assumption of another person’s identity for the purpose of engaging in commercial transactions under the name of such other person.

(6) INFORMATION BROKER- The term `information broker’ means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not customers of such entity for the sale or transmission of such information or the provision of access to such information to any third party, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity.


(A) DEFINITION- The term `personal information’ means an individual’s first and last name in combination with any 1 or more of the following data elements for that individual:

(i) Social Security number.

(ii) Driver’s license number or other State identification number.

(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

(B) MODIFIED DEFINITION BY RULEMAKING- The Commission may, by rule, modify the definition of `personal information’ under subparagraph (A) to the extent that such modification is necessary to accommodate changes in technology or practices, will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act.

(8) PERSON- The term `person’ has the same meaning given such term in section 551(2) of title 5, United States Code."

Also important to note are the ways in which this law would preempt the state level laws:

"(a) Preemption of State Information Security Laws- This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State that expressly–

(1) requires information security practices and treatment of personal information similar to any of those required under section 2; and

(2) requires notification to individuals of a breach of security resulting in unauthorized acquisition of their personal information.

(b) Additional Preemption-

(1) IN GENERAL- No person other than the Attorney General of a State may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act.

(2) PROTECTION OF CONSUMER PROTECTION LAWS- This subsection shall not be construed to limit the enforcement of any State consumer protection law by an Attorney General of a State.

(c) Protection of Certain State Laws- This Act shall not be construed to preempt the applicability of–

(1) State trespass, contract, or tort law; or

(2) other State laws to the extent that those laws relate to acts of fraud."

The law would take effect 1 year after enactment, and, interestingly, cease to be in effect 10 years from the date of enactment. 

There is so much to say and discuss about this bill.  It is certainly getting closer to including the types of data protection requirements found in non-U.S. laws. 

However, some general comments about this bill…

  • It is great there a data protection (privacy) law finally being proposed that would be applicable to all businesses
  • Would help support the establishment of formal information security positions and programs in all industries/businesses
  • Why are data brokers the only businesses required to allow individuals to see their corresponding information that the business posssesses?  Probably to avoid what the lawmakers would view as an undue-burden on all businesses.  However, healthcare and financial organizations already must allow for this.
  • Requiring breach notification when personal information "has been acquired" could be a huge potential loophole…what does acquired mean?  This could be debatable, even with the provided definitions…it can mean many things depending on who is arguing for or against it.
  • Limiting notification to only "each individual of the U.S." is curious; organizations would be unwise not to treat all their customers equally with regard to notification no matter where they are located.
  • It will be interesting to see what the FTC determines is "excessive cost"  for direct notification.
  • Very importantly, if data is strongly encrypted and the encryption is managed appropriately, then the breach would not need to be reported.  More reason for organizations to use encryption…it’s a great security tool!  This also helps to ensure notices are truly only given when there is real risk to the electronic data.
  • The bill only covers eletronic data.  Too bad; many incidents have occurred with printed documents.
  • Notice this bill would preempt the state level breach notification laws.
  • I don’t know why the law would cease to be in effect 10 years after enactment; why is this?  Will there no longer be personal information breaches in 10 years for some reason the general public does not know about?   Very curious indeed…

Technorati Tags

HIPAA, hospitals and law enforcement

Tuesday, March 28th, 2006

I found a story in The News & Observer interesting in its reference to HIPAA.

Apparently a man charged with second-degree murder and felony death by vehicle was sent to the hospital following the accident last October.  However, the hospital released him without notifying law enforcement.  The article reported that the Highway Patrol Sgt. indicated his belief that hospitals do not inform law enforcement of such releases because of HIPAA…that they are afraid of being in noncompliance.  The hospital indicated, however, that law enforcement did not provide the hospital with the man’s name and a copy of his arrest warrant when he was admitted, as is their policy, so they did not know law enforcement wanted to be contacted.  UNC Health Care spokesperson "Crayton added that she is not aware of any cases at UNC where HIPAA rules have gotten in the way of officials being notified of a criminal defendant’s discharge."

Interesting…so is law enforcment trying to use HIPAA as a scapegoat for why the criminal (who was later caught, by the way) was released without their knowledge?  Or, was it just a miscommunication?  I have not read about a tendency for hospitals to not contact law enforcement when criminal patients are released before this printed opinion.

Technorati Tags

Interesting Laptop Thefts Story

Tuesday, March 28th, 2006

The Twin Cities Pioneer Press had an interesting story about the rise in laptop thefts.  The thieves are apparently targetting rental cars by upscale and trendy restaurants, knowing the probability that executives theft their laptops in the car while they dine.   

Since January 2005… "Palo Alto police have fielded 65 reports of stolen laptops." 

WOW!   65 in one city alone…makes you wonder how many are stolen throughout the U.S. and in cities throughout the world…gotta see if there is a way to find this information…

It also referenced the laptop containing HP employee data that was stolen from Fidelity (discussed on this blog on March 23); "The HP employee data was imported onto the laptop for the software demonstration."

Okay…another information security snafu; using live production data for test and demo purposes.  Yes, I know most companies still use production data for testing and demo purposes.  However, there are a growing number of products that can be used to scrub or de-identify data…yes, it takes a bit more time to do than just using live data…but using dummy data for situations such as this is a safeguard that will help keep incidents like this from being even worse than the loss of the hardware.  Plus, it is against the law in some countries to use production data in this manner.

Does your organization have strong mobile computing device security measures in place…and effective training and awareness for the people using them?  Do you have procedures in place for using dummy data for demo and test purposes?

Technorati Tags

The Eyes in the Skies Are Upon You

Monday, March 27th, 2006

A friend of mine (thanks Alec!) notified me of a site, Windows Live Local, that gives quite a close-up ariel view of people’s homes, in addition to public areas, in growing numbers of locations. 

I have few problems with surveillance in public areas…after all, they are public, and they have led to the capture of some very heinous criminals. 

However, peering into backyards and over privacy fences and projecting the images out for the world to see on the Internet is another issue altogether…a huge invasion of privacy, but a sad reality of the largely unregulated-image-use technology that floats everywhere above us.

Technorati Tags

The Perils of P2P

Monday, March 27th, 2006

On March 22 there were many reports about the Winny "virus" in Japan.   The Antinny worm infects Winny, a P2P file sharing program.  Winny is apparently widely used in Japan.

"Top-secret military information, business documents of hundreds of corporate firms , personal and confidential data related to thousands of patients, complete information of Yahoo shopping mall, high profile information of Liberal Democratic Party and thousands more are all floating currently on the internet, creating an enormous flood of information leakage in Japan. "

The Japanese Miliatary were ordered to uninstall Winny to address the vulnerability. 

"The Self Defense Force of Japan estimates that information drainage has been on, for a staggering two full years!"

An earlier Winny incident was reported March 15; PINs used to enter restricted Japan airports were posted on the Internet using the Winny file-sharing software from an All Nippon Airways airline pilot’s personal computer, on which, for some reason, he had loaded all the PINs.

"In a similar case, PINs stored on a private computer belonging to a pilot of Japan Airlines who had used Winny were inadvertently put on the Internet in December."

How are organizations controlling the P2P software?  Are they even?

Also, why are there continuing to be so many reports of such large volumes of highly confidential information being stored on laptops and other mobile computing devices? 

And not having PINs encrypted both at rest (storage) and in motion (while being transmitted) is simply a bad business decision.

Technorati Tags

Compliance Is Tough…PIPEDA Compliance Blog

Sunday, March 26th, 2006

I ran across the blog of someone who is apparently trying to comply with some of Canada’s PIPEDA regulation.  If he adds any details to this, it should make interesting reading!

Technorati Tags

How to Effectively Address Privacy in Business

Sunday, March 26th, 2006

In this episode I briefly discuss the current privacy concerns and business activities regarding the safeguarding of personal information and the types of impact incidents have upon business; the challenges associated with protecting personal information (both consumer and employee), and ways to address these challenges to avoid ending up in the newspaper as the next privacy incident headline; and the need to address privacy issues within business processes, not only to meet regulatory requirements but also to demonstrate due diligence, support business goals and build business value.

Thought Provoking Paper on Privacy

Saturday, March 25th, 2006

Daniel J. Solove has written a thought-provoking paper, "A Taxonomy of Privacy," available for free download.  I encourage you to download it and think about your own organization’s privacy practices as you read it.

Technorati Tags