cobbassociates.com copyright, 2002, stephen cobb privacy today why it’s driving security and how...

cobbassociates.comCopyright, 2002, Stephen Cobb

Privacy Today

Why It’s Driving SecurityAnd How You Can Manage It

Stephen Cobb, CISSP

of 43 ©Stephen Cobb, 2003 www.cobbassociates.com

Today’s Agenda

Why and how privacy is driving security What privacy laws/rules are impacting security How to manage privacy in your organization Changes you may need to make to your security Tools to help

Session Time 9.00 AM-Noon, 12/10/02


Session Leader

Stephen Cobb, CISSP

Started writing [his] first computer security book, 1989

Stephen Cobb Guide to PC & LAN Security, 1992

National Computer Security Association, 1994-96

Miora Systems Consulting (MSC), InfoSec Labs, 1997-1999

Security Evangelist, Rainbow Technologies, 1999-2001

Senior VP, Research & Education, ePrivacy Group, 2001

Advised Federal Trade Commission in matter of Eli Lilly (prozac.com)

Author, Privacy for Business: Web Sites & Email, 2002

Adj. Professor MSc. Information Assurance, Norwich University, 2002


3 Biggest Things in Security This Year?

The identity theft explosion– Large-scale, computer-access based, fuels consumer

fears over handling of personally identifiable information (PII) by commercial and government entities

FTC action in Eli Lilly and Microsoft Passport– Companies who break privacy promises and fail to live

up to security claims will face consequences (like 20 years of government monitoring)

Bugbear and other virus/worm/Trojan code– Apart from being hard to stop, they expose PII and

underline the sad state of client systems today


Relationship of Privacy to Security

Complex and definition dependent– Security is about how you control access to information– Privacy is about who controls access to what information

Security is technology, privacy is policy– Security is a two-edged sword, e.g. Fired? PGP the hard drive!– Privacy is a two-sided dilemma, e.g. Don’t track me! Track my

miles! You can have security without privacy, but you can’t have

privacy without security – KPMG “Managing Privacy as a Competitive Advantage”

IT security in the enterprise has traditionally served the interests of the enterprise. Privacy brings a new customer to the table: the customer.

– David Brussin, CISSP, CTO, ePrivacy Group


Some Definitions Should Help

Information Privacy:– The right of individuals (customers) to determine if, when, how, and

to what extent data about themselves will be collected, used and shared with others. (—Ask me who uses this definition)

Information Security:– The ability to control the confidentiality, integrity, and availability of

information.

Personally Identifiable information”– Any information that identifies or can be used to identify, contact, or

locate the person to whom such information pertains, or from which identification or contact information of an individual person can be derived….includes, but not limited to: name, address, phone number, fax number, email address, financial profiles, medical profile, social security number, and credit card information.


Privacy As Front Page News (Before 9/11)


Now Even Bigger


Concerns Cannot Be Denied or Ignored

Fundamentalists want more privacy rules.

Pragmatists favor self-regulation.

Survey of 1500 consumers by Privacy and American Business


Business Has Responded, But Slowly

So far only 51% of companies have privacy policies, even though 97% have Web sites and 53% use those sites for e-commerce– Weak sectors (retail, healthcare, manufacturing)– Stronger sector (banking, transportation)

Computer Economics Institute, March 2002

Barely half of companies post privacy notices on their Web sites and 60% don’t monitor their Web sites to make sure they deliver the privacy that’s promised

Watchfire/PWC


Privacy Incidents = Security Incidents

Eli Lilly Prozac Email Incident– Exposed PII of prozac.com reminder service subscribers– FTC deemed this coding error to be a security failure– Imposed a settlement that lasts 20 years– State fines imposed (piggyback)

Microsoft Passport– Claim of strong security found deceptive– Even though no PII exposed– FTC settlement imposed– Fines if broken ($11K each time)

Ziff Davis– Exposed credit cards on Web – ID theft resulted– $125K to states and persons

Incident Impact:Stock price takes a hit.Press “goes negative.”Brand name tarnished.Resources diverted.Opportunity costs incurred: Marketing, PR, Employees, Managers, Lawyers


Security Breaches = Privacy Breaches

Privacy breach occurs when there is exposure of personally identifiable information (PII) regardless of what caused the exposure

The controls imposed by proper security could prevent most of these breaches

– E.g. Ziff Davis Media Exposed credit cards on Web: due to rogue action inside company (bypassed SOP) but security procedures should have prevented this action

– E.g. Microsoft ftp site snafu: millions of names and addresses, encrypted with Zip using 4 letter password, policy and procedure could have prevented, better awareness would help

Security includes proper software development methodology and protocols, e.g. Eli Lilly

– Company had extensive Q&A, version control, etc.– But Web/Email developers were not included


Cost of “A Damaging Privacy Incident”

- Forester Research, Feb 2001 Report (www.forrester.com)


Privacy Imperatives: What You Have to Do

Privacy Laws (over 30 Federal, more State): – COPPA (kids on the Web)– HIPAA (covers health care organizations and more)– GLBA (covers many finance-related companies)– FTCA? FTC’s mandate to act on “deceptive practices”

Privacy Torts: right of private privacy action– Yesterday Tammy, today Prozac in the mail box, tomorrow?– Class action privacy lawsuits are on the increase– More attorneys willing to take privacy cases on contingency basis

State Attorneys General: No downside for them– Great way to show you care about consumers– Also resonates with calls for corporate responsibility – New York AG Spitzer particularly aggressive


Why “No New Privacy Laws” Means More Cases

Familiar argument: We don’t need any more laws, we need enforcement of existing laws. Applied by Bush administration to privacy laws, so the FTC is enforcing the law

Taking action against “deceptive business practices” If your company promises to protect PII but fails, you may be judged

to broken “privacy promises” (courts of public opinion, press, law) This has been deemed a deceptive trade practice (deceiving

consumers brought unfair advantage over competitors) Breaking of promises does not need to be intentional to be judged

deceptive, does not need to be actual to be prosecuted:– “Companies that promise to keep personal information secure must

follow reasonable and appropriate measures to do so. It is not only good business, it’s the law. Even absent known security breaches, we will not wait to act.” —FTC Chairman Timothy Muris, August 2002


4 XPressure

4 XRisk

Complia

nce

FTCState AGs

Civil Suits

4 Way Privacy Pressure = 4 X Risk

Security is no longerjust about protectingcompany secrets

Must also provideprotection for customer datathroughout thedata life cycle

Requires aneffective approach to“privacy management”


Security Rules for Privacy Laws

HIPAA and GLBA establish security rules These are significant even if your organization is not a

covered entity for either of these laws. Implications of HIPAA Security Rule

– Federally mandated standard for security practices For organizations involved in health or handling health-related

information, including much research data Defines practices necessary to conduct business electronically in the

health care industry today Establishes that these are the things you should be doing today (pre-

empting arguments over costs)– Provides solid basis for legal action by anyone who feels harmed by

exposure of their health data If the organization that exposed the data is not at or above the standard,

defense will be difficult


HIPAA Requirements in a Nutshell

Written policies and notification of thosepolicies and practices to patients

Patient right to access his or her record,and the right to correct errors

Use of "minimum necessary" data for various functions Designation of entity official responsible for privacy; Training, internal safeguards, a complaint process,

sanctions for violations and mitigation procedures Compliance by "business associates" and employers acting

as "plan sponsors“– Linda Malek, Esq. Moses & Singer


HIPAA Exposure Spreads

The fact that HHS will not actively pursue violations is irrelevant “Low-stakes" exposure exists for litigation involving a single plaintiff and

an isolated breach “High-stakes" exposure exists, such as inadvertent mass disclosure due

to poor security, or failure to follow internal privacy policies/procedures, or medical data abuses or breaches by business associates

For a security violation or a breach by a business associate, plaintiffs’ lawyers might use the satisfactory assurance requirement plus a state law negligence claim by patients for wrongful disclosure of PHI

Argument is that the covered entity owed a duty of care to the patient to ensure that personal data was not negligently entrusted with a third-party who failed to take appropriate steps to safeguard it

The applicable standard of care would likely be the prudent behavior standard, which plaintiffs’ lawyers could be expected to argue is enhanced by the HIPAA statutory standard of “satisfactory assurance

– Leigh-Ann Patterson, Esq. Nixon Peabody


Security Practices in the HIPAA Security Rule

Organizational Practices – Security and confidentiality

policies – Information security officers – Education and training

programs, and – Sanctions

Technical Practices and Procedures

– Individual authentication of users – Access controls – Audit trails – Physical security– Disaster recovery – Protection of remote access

points – Protection of external electronic

communications – Software discipline, and – System assessment.

Use these as a check list for comparison with your current security practices.


Physical Security and Data Protection

Assign security responsibility

Control of electronic media (access, backup, storage, disposal), including audit trails

Limit physical access to systems and facilities

Control workstation use Secure location for

workstations Security awareness

training for personnel

Access control, including process for emergency access

– Either context-based, role-based or user-based access must be provided

Controls must be auditable Data authentication must

be provided Uniquely-identifiable user

authentication, with an automatic logoff feature e.g. PIN, password, token, biometric


Data Transmission and Digital Signatures

Message authentication & integrity controls

– Either access controls or encryption must also be provided

If a network is used, the following must be implemented:

– Alarm capability– Audit trails– Entity (user) authentication– Event reporting

Use of digital signatures is optional under HIPAA

If used, digital signature technology must ensure:

– Message integrity– Non-repudiation– User authentication


PII and PHI on Open Networks

“Each organization that uses communications or networks would be required to protect communications containing health information that are transmitted electronically over open networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient, and to protect their information systems from intruders trying to access systems through external communication points.”

“When using open networks, such as the Internet or dial-in lines, some form of encryption should be employed.”


VANs And VPNs

The utilization of less open systems/networks such as those provided by a value-added network (VAN) or private-wire arrangement provides sufficient access controls to allow encryption to be an optional feature.

VPNs tunnel over the Internet and must be encrypted, as well as protected


Enterprises Need Privacy Management

Requires board level attention, commitment, action Appointing a CPO is probably best first step Titles may differ, but someone needs to be in charge CPO shows you take privacy seriously

– Great way to focus energy on privacy programs– But CPO quickly swamped, needs support team– CPO/Team must be inter-disciplinary

Legal Technical Public and government relations Marketing Management


CPO Has Internal and External Roles

Internal Role– Company-wide Strategy– Business Development– Product Development &

Implementation– Operations– Security & Fraud– Corporate Culture– Facilitator:

with senior management support, forge long-term cross-disciplinary privacy model

problem solve for team members assure cross-disciplinary training

External Role– Industry Relations– Government Relations– Media and PR– Privacy Community– Consumer Relations


The CPO’s Top Ten Challenges

1. Data = corporate “family jewels,” but value = use, so entire data life cycle needs to be understood and protected

2. Contractual protections helpful, but on their own are not enough

3. Security threats: hackers, partners, and the marketing dept.

4. New products/services requiring review of data policies

5. New partnerships/alliances requiring coordination of policies

6. Data “bumps” (combining databases, augmenting data)

7. M&A issues (merging differing policies) and ownership changes

8. Monitoring for compliance in fast-moving organizations

9. Consumer fears: higher than ever, media sees a good story

10. Legislators/regulators eager to turn that fear to their advantage


10 Action Items

Three areas:– “Know what you do.”– “Say what you do.”– “Do what you say.”

Courtesy of Ray Everett-Church, CPO, ePrivacy Group and the author of “Internet Privacy for Dummies.”


“Know what you do”

1. Assess your data gathering practices- Database Administrator is your friend- Division level, department level databases?- Business development deals? Marketing plans?

2. Understand your level of "permission“- “Legacy” databases and past practices- Past performance v. future expectations

3. Assess your defensive measures against outsiders- Network security audits

4. Assess your defensive measures against insiders- Consider centralized policies if not centralized control- Access restrictions in place and managed right


“Say what you do”

(a/k/a Drafting/Revising your Privacy Policy)

5. Clearly disclose all relevant practices– Notice, choice, access, security, redress

6. Plan for changes in practices that are consistent with today’s policy

– Balancing “weasel wording” with true flexibility

7. If you diverge from today’s policy, make the changes loud and clear, and move on!

– State your case plainly, proudly, and let consumers make their choices


“Do what you say”

8. Get a CPO and build a privacy team– Designate point person in departments

• Business Development• Product Management/Development• Operations

– Designate point person for major issues• Compliance (regulatory & industry)• Legal and Regulatory

9. Implement ongoing security and data audits10. Integrate privacy into your corporate message

– Internally (education)– Externally (consumer message, industry, regulators)


10 Time-saving/Cost-saving Steps

1. Invest in a good data audit (self or 3rd party).– Identifies current practices, uncovers flaws, sets baseline.

2. Invest in a good security audit.– Cheaper before trouble occurs v. after trouble occurs

3. Once practices are assessed and problem areas resolved, get certified.* (e.g., TRUSTe, BBBOnline).– * know the limitations of certification programs

4. Keep an eye on the political/regulatory scene: AIM, DMA, ITAA, OPA.– Easiest way to stay ahead of the curve, alerted to data practices that are

in media, privacy advocate cross-hairs.

5. No team? Recruit “clueful” staff.


10 Time-saving/Cost-saving Steps

6. Build privacy policies and audit rights into agreements– Partners are a weak link; privacy problems spread

7. Don’t be shy about bringing in help.– Think of auditors, consultants as insurance.– When in Rome... get local counsel!– Recruit company executives (internal or external) for “Privacy Board” to

share responsibility, blame.

8. Plan for disaster.

9. Participate in the legislative process.– Prevention is cheaper than cure (ask kids sites).– Do us all a favor: if you have a good story, tell it!

10. Join the IAPO: We’re all in this together.


Plan of Attack: Target, Treat, Train

Target– Find current privacy exposures and prioritize– (Talk to department heads, map data flows, ask

questions, especially of marketing) Treat

– Make necessary changes and then institute policies and procedures to prevent recurrence

Train– Make sure everyone understands the importance of

privacy, especially anyone who touches PII – (This goes a lot further than customer service, e.g.

contracts, programming, product development)


Privacy Incident Cost Containment Model

Identify biggest risks in key areas of the business Fix these first Move on to the

lesser risks While developing

policy, procedures,training

Faster, cheaperrisk reduction than “assess-then-amend” Time

Risk

PICC

Assess/Amend


Your Best Weapon? Training & Awareness

Security technology without security training is a waste of money (e.g. anti-virus software v. email attachments)

The single best defense is a privacy and security-savvy workforce

Documented training also creates strong defense for the organization in the event of privacy or security breach– “We trained this person not to do that, so we were not

negligent” Training required by regulations but more importantly by

due diligence and standard of due care Training can be accomplished at reasonable cost per

person through technology (web, intranet, video, etc)


Training for All Employees Who Touch PII

Web-basedtraining isvery cost-effective


General and Compliance Courses

Third-party endorsedtraining isgood duediligence


Changes Privacy Makes to Security

Security must extend traditional protectionof company data to customerdata,at all stages of the data life cycle

Security must understandthat any PII leakage is a security issue

All employees must be privacy and security-savvy

Security will be askedto authenticate customers,to allow them access to their PII

Security must secure wireless and other technologies that threaten PII Encryption for communication of PII will need to get much better On the plus side: security may get a boost from the provable ROI you

get with privacy/security spending

DataCollection

DataStorageData

Usage

DataSharing

DataDestructionAnd Retention


Tools to Help

Professional associations– E.g. IAPO

Trust authorities– E.g. TRUSTe

Free tools for policies/notices/statements – see Privacy for Business Sources

Some good conferences– privacyassociation.org

Privacy rights management software emerging– E.g. IBM’s Tivoli SecureWay Privacy Manager and

Enterprise Privacy Architecture


The Good News Is: Privacy Pays

Security professionals struggle to justify security spending to CxO ROI in security is inherently hard to figure

– Company A spends $1 million and suffers no breaches. Company B spends $2 million. Was B twice as safe? How would you know? Or was A twice as lucky? And at what point do you reach diminishing returns?

But privacy has a provable ROI, for example: Royal Bank of Canada– The bank takes the position that giving customers the level of privacy they

want is a competitive differentiator.– For example, it's banking division maintains in its databases a file of

customers' privacy preferences. Before managers undertake any marketing initiative, they must check mailing and calling lists against that database.

– "Information is really the currency of the relationship with our customers, and trust is a key part of that relationship," — Peter Cullen, CPO.


And the Grand Prize Is: $630 million

The consumer and retail portion of RBC market capitalization is $9.0 billion.

Each year, the bank surveys customers about the importance of branch services, customer service, and more than a dozen other items.

Added privacy to the list about six years ago, Ranks in the middle of what consumers consider valuable. Based on the survey results, the bank figures that privacy

drives 7% of the demand for its products and services. That means 7% of the $9.0 billion shareholder value of the

bank's consumer business: $630 million.


Thank You! — For More Information

Email Stephen Cobb– sc at cobbassociates.com

Privacy for Business News– www.privacyforbusiness.com

Cobb Associates– www.cobbassociates.com

Join– IAPO at www.privacyassociation.org


Notes

cobbassociates.com copyright, 2002, stephen cobb privacy today why it’s driving security and how...

Documents