cobbassociates.com copyright, 2002, stephen cobb privacy today why it’s driving security and how...
TRANSCRIPT
cobbassociates.comCopyright, 2002, Stephen Cobb
Privacy Today
Why It’s Driving SecurityAnd How You Can Manage It
Stephen Cobb, CISSP
Page 2 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Today’s Agenda
Why and how privacy is driving security What privacy laws/rules are impacting security How to manage privacy in your organization Changes you may need to make to your security Tools to help
Session Time 9.00 AM-Noon, 12/10/02
Page 3 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Session Leader
Stephen Cobb, CISSP
Started writing [his] first computer security book, 1989
Stephen Cobb Guide to PC & LAN Security, 1992
National Computer Security Association, 1994-96
Miora Systems Consulting (MSC), InfoSec Labs, 1997-1999
Security Evangelist, Rainbow Technologies, 1999-2001
Senior VP, Research & Education, ePrivacy Group, 2001
Advised Federal Trade Commission in matter of Eli Lilly (prozac.com)
Author, Privacy for Business: Web Sites & Email, 2002
Adj. Professor MSc. Information Assurance, Norwich University, 2002
Page 4 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
3 Biggest Things in Security This Year?
The identity theft explosion– Large-scale, computer-access based, fuels consumer
fears over handling of personally identifiable information (PII) by commercial and government entities
FTC action in Eli Lilly and Microsoft Passport– Companies who break privacy promises and fail to live
up to security claims will face consequences (like 20 years of government monitoring)
Bugbear and other virus/worm/Trojan code– Apart from being hard to stop, they expose PII and
underline the sad state of client systems today
Page 5 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Relationship of Privacy to Security
Complex and definition dependent– Security is about how you control access to information– Privacy is about who controls access to what information
Security is technology, privacy is policy– Security is a two-edged sword, e.g. Fired? PGP the hard drive!– Privacy is a two-sided dilemma, e.g. Don’t track me! Track my
miles! You can have security without privacy, but you can’t have
privacy without security – KPMG “Managing Privacy as a Competitive Advantage”
IT security in the enterprise has traditionally served the interests of the enterprise. Privacy brings a new customer to the table: the customer.
– David Brussin, CISSP, CTO, ePrivacy Group
Page 6 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Some Definitions Should Help
Information Privacy:– The right of individuals (customers) to determine if, when, how, and
to what extent data about themselves will be collected, used and shared with others. (—Ask me who uses this definition)
Information Security:– The ability to control the confidentiality, integrity, and availability of
information.
Personally Identifiable information”– Any information that identifies or can be used to identify, contact, or
locate the person to whom such information pertains, or from which identification or contact information of an individual person can be derived….includes, but not limited to: name, address, phone number, fax number, email address, financial profiles, medical profile, social security number, and credit card information.
Page 9 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Concerns Cannot Be Denied or Ignored
Fundamentalists want more privacy rules.
Pragmatists favor self-regulation.
Survey of 1500 consumers by Privacy and American Business
Page 10 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Business Has Responded, But Slowly
So far only 51% of companies have privacy policies, even though 97% have Web sites and 53% use those sites for e-commerce– Weak sectors (retail, healthcare, manufacturing)– Stronger sector (banking, transportation)
Computer Economics Institute, March 2002
Barely half of companies post privacy notices on their Web sites and 60% don’t monitor their Web sites to make sure they deliver the privacy that’s promised
Watchfire/PWC
Page 11 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Privacy Incidents = Security Incidents
Eli Lilly Prozac Email Incident– Exposed PII of prozac.com reminder service subscribers– FTC deemed this coding error to be a security failure– Imposed a settlement that lasts 20 years– State fines imposed (piggyback)
Microsoft Passport– Claim of strong security found deceptive– Even though no PII exposed– FTC settlement imposed– Fines if broken ($11K each time)
Ziff Davis– Exposed credit cards on Web – ID theft resulted– $125K to states and persons
Incident Impact:Stock price takes a hit.Press “goes negative.”Brand name tarnished.Resources diverted.Opportunity costs incurred: Marketing, PR, Employees, Managers, Lawyers
Page 12 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Security Breaches = Privacy Breaches
Privacy breach occurs when there is exposure of personally identifiable information (PII) regardless of what caused the exposure
The controls imposed by proper security could prevent most of these breaches
– E.g. Ziff Davis Media Exposed credit cards on Web: due to rogue action inside company (bypassed SOP) but security procedures should have prevented this action
– E.g. Microsoft ftp site snafu: millions of names and addresses, encrypted with Zip using 4 letter password, policy and procedure could have prevented, better awareness would help
Security includes proper software development methodology and protocols, e.g. Eli Lilly
– Company had extensive Q&A, version control, etc.– But Web/Email developers were not included
Page 13 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Cost of “A Damaging Privacy Incident”
- Forester Research, Feb 2001 Report (www.forrester.com)
Page 14 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Privacy Imperatives: What You Have to Do
Privacy Laws (over 30 Federal, more State): – COPPA (kids on the Web)– HIPAA (covers health care organizations and more)– GLBA (covers many finance-related companies)– FTCA? FTC’s mandate to act on “deceptive practices”
Privacy Torts: right of private privacy action– Yesterday Tammy, today Prozac in the mail box, tomorrow?– Class action privacy lawsuits are on the increase– More attorneys willing to take privacy cases on contingency basis
State Attorneys General: No downside for them– Great way to show you care about consumers– Also resonates with calls for corporate responsibility – New York AG Spitzer particularly aggressive
Page 15 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Why “No New Privacy Laws” Means More Cases
Familiar argument: We don’t need any more laws, we need enforcement of existing laws. Applied by Bush administration to privacy laws, so the FTC is enforcing the law
Taking action against “deceptive business practices” If your company promises to protect PII but fails, you may be judged
to broken “privacy promises” (courts of public opinion, press, law) This has been deemed a deceptive trade practice (deceiving
consumers brought unfair advantage over competitors) Breaking of promises does not need to be intentional to be judged
deceptive, does not need to be actual to be prosecuted:– “Companies that promise to keep personal information secure must
follow reasonable and appropriate measures to do so. It is not only good business, it’s the law. Even absent known security breaches, we will not wait to act.” —FTC Chairman Timothy Muris, August 2002
Page 16 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
4 XPressure
4 XRisk
Complia
nce
FTCState AGs
Civil Suits
4 Way Privacy Pressure = 4 X Risk
Security is no longerjust about protectingcompany secrets
Must also provideprotection for customer datathroughout thedata life cycle
Requires aneffective approach to“privacy management”
Page 17 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Security Rules for Privacy Laws
HIPAA and GLBA establish security rules These are significant even if your organization is not a
covered entity for either of these laws. Implications of HIPAA Security Rule
– Federally mandated standard for security practices For organizations involved in health or handling health-related
information, including much research data Defines practices necessary to conduct business electronically in the
health care industry today Establishes that these are the things you should be doing today (pre-
empting arguments over costs)– Provides solid basis for legal action by anyone who feels harmed by
exposure of their health data If the organization that exposed the data is not at or above the standard,
defense will be difficult
Page 18 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
HIPAA Requirements in a Nutshell
Written policies and notification of thosepolicies and practices to patients
Patient right to access his or her record,and the right to correct errors
Use of "minimum necessary" data for various functions Designation of entity official responsible for privacy; Training, internal safeguards, a complaint process,
sanctions for violations and mitigation procedures Compliance by "business associates" and employers acting
as "plan sponsors“– Linda Malek, Esq. Moses & Singer
Page 19 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
HIPAA Exposure Spreads
The fact that HHS will not actively pursue violations is irrelevant “Low-stakes" exposure exists for litigation involving a single plaintiff and
an isolated breach “High-stakes" exposure exists, such as inadvertent mass disclosure due
to poor security, or failure to follow internal privacy policies/procedures, or medical data abuses or breaches by business associates
For a security violation or a breach by a business associate, plaintiffs’ lawyers might use the satisfactory assurance requirement plus a state law negligence claim by patients for wrongful disclosure of PHI
Argument is that the covered entity owed a duty of care to the patient to ensure that personal data was not negligently entrusted with a third-party who failed to take appropriate steps to safeguard it
The applicable standard of care would likely be the prudent behavior standard, which plaintiffs’ lawyers could be expected to argue is enhanced by the HIPAA statutory standard of “satisfactory assurance
– Leigh-Ann Patterson, Esq. Nixon Peabody
Page 20 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Security Practices in the HIPAA Security Rule
Organizational Practices – Security and confidentiality
policies – Information security officers – Education and training
programs, and – Sanctions
Technical Practices and Procedures
– Individual authentication of users – Access controls – Audit trails – Physical security– Disaster recovery – Protection of remote access
points – Protection of external electronic
communications – Software discipline, and – System assessment.
Use these as a check list for comparison with your current security practices.
Page 21 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Physical Security and Data Protection
Assign security responsibility
Control of electronic media (access, backup, storage, disposal), including audit trails
Limit physical access to systems and facilities
Control workstation use Secure location for
workstations Security awareness
training for personnel
Access control, including process for emergency access
– Either context-based, role-based or user-based access must be provided
Controls must be auditable Data authentication must
be provided Uniquely-identifiable user
authentication, with an automatic logoff feature e.g. PIN, password, token, biometric
Page 22 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Data Transmission and Digital Signatures
Message authentication & integrity controls
– Either access controls or encryption must also be provided
If a network is used, the following must be implemented:
– Alarm capability– Audit trails– Entity (user) authentication– Event reporting
Use of digital signatures is optional under HIPAA
If used, digital signature technology must ensure:
– Message integrity– Non-repudiation– User authentication
Page 23 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
PII and PHI on Open Networks
“Each organization that uses communications or networks would be required to protect communications containing health information that are transmitted electronically over open networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient, and to protect their information systems from intruders trying to access systems through external communication points.”
“When using open networks, such as the Internet or dial-in lines, some form of encryption should be employed.”
Page 24 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
VANs And VPNs
The utilization of less open systems/networks such as those provided by a value-added network (VAN) or private-wire arrangement provides sufficient access controls to allow encryption to be an optional feature.
VPNs tunnel over the Internet and must be encrypted, as well as protected
Page 25 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Enterprises Need Privacy Management
Requires board level attention, commitment, action Appointing a CPO is probably best first step Titles may differ, but someone needs to be in charge CPO shows you take privacy seriously
– Great way to focus energy on privacy programs– But CPO quickly swamped, needs support team– CPO/Team must be inter-disciplinary
Legal Technical Public and government relations Marketing Management
Page 26 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
CPO Has Internal and External Roles
Internal Role– Company-wide Strategy– Business Development– Product Development &
Implementation– Operations– Security & Fraud– Corporate Culture– Facilitator:
with senior management support, forge long-term cross-disciplinary privacy model
problem solve for team members assure cross-disciplinary training
External Role– Industry Relations– Government Relations– Media and PR– Privacy Community– Consumer Relations
Page 27 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
The CPO’s Top Ten Challenges
1. Data = corporate “family jewels,” but value = use, so entire data life cycle needs to be understood and protected
2. Contractual protections helpful, but on their own are not enough
3. Security threats: hackers, partners, and the marketing dept.
4. New products/services requiring review of data policies
5. New partnerships/alliances requiring coordination of policies
6. Data “bumps” (combining databases, augmenting data)
7. M&A issues (merging differing policies) and ownership changes
8. Monitoring for compliance in fast-moving organizations
9. Consumer fears: higher than ever, media sees a good story
10. Legislators/regulators eager to turn that fear to their advantage
Page 28 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
10 Action Items
Three areas:– “Know what you do.”– “Say what you do.”– “Do what you say.”
Courtesy of Ray Everett-Church, CPO, ePrivacy Group and the author of “Internet Privacy for Dummies.”
Page 29 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
“Know what you do”
1. Assess your data gathering practices- Database Administrator is your friend- Division level, department level databases?- Business development deals? Marketing plans?
2. Understand your level of "permission“- “Legacy” databases and past practices- Past performance v. future expectations
3. Assess your defensive measures against outsiders- Network security audits
4. Assess your defensive measures against insiders- Consider centralized policies if not centralized control- Access restrictions in place and managed right
Page 30 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
“Say what you do”
(a/k/a Drafting/Revising your Privacy Policy)
5. Clearly disclose all relevant practices– Notice, choice, access, security, redress
6. Plan for changes in practices that are consistent with today’s policy
– Balancing “weasel wording” with true flexibility
7. If you diverge from today’s policy, make the changes loud and clear, and move on!
– State your case plainly, proudly, and let consumers make their choices
Page 31 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
“Do what you say”
8. Get a CPO and build a privacy team– Designate point person in departments
• Business Development• Product Management/Development• Operations
– Designate point person for major issues• Compliance (regulatory & industry)• Legal and Regulatory
9. Implement ongoing security and data audits10. Integrate privacy into your corporate message
– Internally (education)– Externally (consumer message, industry, regulators)
Page 32 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
10 Time-saving/Cost-saving Steps
1. Invest in a good data audit (self or 3rd party).– Identifies current practices, uncovers flaws, sets baseline.
2. Invest in a good security audit.– Cheaper before trouble occurs v. after trouble occurs
3. Once practices are assessed and problem areas resolved, get certified.* (e.g., TRUSTe, BBBOnline).– * know the limitations of certification programs
4. Keep an eye on the political/regulatory scene: AIM, DMA, ITAA, OPA.– Easiest way to stay ahead of the curve, alerted to data practices that are
in media, privacy advocate cross-hairs.
5. No team? Recruit “clueful” staff.
Page 33 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
10 Time-saving/Cost-saving Steps
6. Build privacy policies and audit rights into agreements– Partners are a weak link; privacy problems spread
7. Don’t be shy about bringing in help.– Think of auditors, consultants as insurance.– When in Rome... get local counsel!– Recruit company executives (internal or external) for “Privacy Board” to
share responsibility, blame.
8. Plan for disaster.
9. Participate in the legislative process.– Prevention is cheaper than cure (ask kids sites).– Do us all a favor: if you have a good story, tell it!
10. Join the IAPO: We’re all in this together.
Page 34 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Plan of Attack: Target, Treat, Train
Target– Find current privacy exposures and prioritize– (Talk to department heads, map data flows, ask
questions, especially of marketing) Treat
– Make necessary changes and then institute policies and procedures to prevent recurrence
Train– Make sure everyone understands the importance of
privacy, especially anyone who touches PII – (This goes a lot further than customer service, e.g.
contracts, programming, product development)
Page 35 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Privacy Incident Cost Containment Model
Identify biggest risks in key areas of the business Fix these first Move on to the
lesser risks While developing
policy, procedures,training
Faster, cheaperrisk reduction than “assess-then-amend” Time
Risk
PICC
Assess/Amend
Page 36 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Your Best Weapon? Training & Awareness
Security technology without security training is a waste of money (e.g. anti-virus software v. email attachments)
The single best defense is a privacy and security-savvy workforce
Documented training also creates strong defense for the organization in the event of privacy or security breach– “We trained this person not to do that, so we were not
negligent” Training required by regulations but more importantly by
due diligence and standard of due care Training can be accomplished at reasonable cost per
person through technology (web, intranet, video, etc)
Page 37 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Training for All Employees Who Touch PII
Web-basedtraining isvery cost-effective
Page 38 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
General and Compliance Courses
Third-party endorsedtraining isgood duediligence
Page 39 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Changes Privacy Makes to Security
Security must extend traditional protectionof company data to customerdata,at all stages of the data life cycle
Security must understandthat any PII leakage is a security issue
All employees must be privacy and security-savvy
Security will be askedto authenticate customers,to allow them access to their PII
Security must secure wireless and other technologies that threaten PII Encryption for communication of PII will need to get much better On the plus side: security may get a boost from the provable ROI you
get with privacy/security spending
DataCollection
DataStorageData
Usage
DataSharing
DataDestructionAnd Retention
Page 40 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Tools to Help
Professional associations– E.g. IAPO
Trust authorities– E.g. TRUSTe
Free tools for policies/notices/statements – see Privacy for Business Sources
Some good conferences– privacyassociation.org
Privacy rights management software emerging– E.g. IBM’s Tivoli SecureWay Privacy Manager and
Enterprise Privacy Architecture
Page 41 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
The Good News Is: Privacy Pays
Security professionals struggle to justify security spending to CxO ROI in security is inherently hard to figure
– Company A spends $1 million and suffers no breaches. Company B spends $2 million. Was B twice as safe? How would you know? Or was A twice as lucky? And at what point do you reach diminishing returns?
But privacy has a provable ROI, for example: Royal Bank of Canada– The bank takes the position that giving customers the level of privacy they
want is a competitive differentiator.– For example, it's banking division maintains in its databases a file of
customers' privacy preferences. Before managers undertake any marketing initiative, they must check mailing and calling lists against that database.
– "Information is really the currency of the relationship with our customers, and trust is a key part of that relationship," — Peter Cullen, CPO.
Page 42 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
And the Grand Prize Is: $630 million
The consumer and retail portion of RBC market capitalization is $9.0 billion.
Each year, the bank surveys customers about the importance of branch services, customer service, and more than a dozen other items.
Added privacy to the list about six years ago, Ranks in the middle of what consumers consider valuable. Based on the survey results, the bank figures that privacy
drives 7% of the demand for its products and services. That means 7% of the $9.0 billion shareholder value of the
bank's consumer business: $630 million.
Page 43 of 43 ©Stephen Cobb, 2003 www.cobbassociates.com
Thank You! — For More Information
Email Stephen Cobb– sc at cobbassociates.com
Privacy for Business News– www.privacyforbusiness.com
Cobb Associates– www.cobbassociates.com
Join– IAPO at www.privacyassociation.org