legal & security risks in off-network technology

NEXTw w w.Br assValley.com

LEGAL & SECURITY RISKS IN MANAGEMENT AND DISPOSALOF OFF-NETWORK TECHNOLOGY

Life Cycle Security for IT Assets

life cycle security for it assets

FRONT PAGE w w w.Br assValley.com 2

Copyright ©2013 Brass Valley LLC

You may republish excerpts from this eBook as long as they are accompanied by an attribution link back to www.brassvalley.com

To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/us/ or send a letter to: Creative Commons, 171 Second St,

Suite 300, San Francisco, CA 94105 USA

This work is licensed under the Creative Commons

Attribution-Noncommercial-No Derivative Works 3.0 Unites States License. You are free to share,

copy, distribute and transmit the work under the following three conditions:

1. Attribution — You must attribute the work in the manner specified by the author or licensor

(but not in any way that suggests that they endorse you or your use of the work).

2. Noncommercial — You may not use this work for commercial purposes.

3. No Derivative Works — You may not alter, transform, or build upon this work.

Thanks for downloading this eBook.

You may also share any thoughts or questions directly by emailing at:[email protected]

http://www.BrassValley.com



One Man’s Trash... The Same Man’s Liability

Michael Lightfoot sipped a sweating can of diet Pepsi and set it down between a pile of documents and his cell phone. His office door popped open and Christy, his secretary, leaned her head in, “Mr. Lightfoot there is a Mr. Sampson here to see you. He didn’t have an appointment but he is freaking out in the waiting room.” Michael nodded to let him in.

Bill Sampson bustled in a minute later sweating as much as the can of soda. In a frantic tone he recounted his morning.

“I had been at work for about an hour and I was going through emails from this weekend when a sheriff walks up. There was his badge and a big gun, with a sour look on his face. My stomach plummeted. I thought he would arrest me right then in front of my whole office. Instead he hands me a subpoena and tells me I’ve been charged

with what amounts to criminal negligence. I read on and find out that someone got hold of a computer that we sent out to be recycled and got a truck load of information off of it, customer credit info, employee medical records and they say I’m liable.”

Indeed you may be, Bill, I thought. If Bill didn’t dispose of his old computer equipment properly and doesn’t have the evidence to back it up in court, he will be found guilty.

“How would I have evidence for that?”, he bellowed. “Am I going to jail? Will the fines bankrupt my business?”

“Well, let’s see what you have.”




Table of contents

INTRODUCTION

LAWS gOVeRNINg THe SeCURITY Of Off-NeTWORk DeVICeS

THe UNDeNIABLe TReND TOWARD INCReASINg RegULATION AND eNfORCeMeNT

Off-NeTWORk DeVICeS THAT STORe SeNSITIVe INfORMATION

INfORMATION STOReD ON Off-NeTWORk DeVICeS

WHAT IS MY LIABILITY?

RAMIfICATIONS Of DATA BReACHeS

PROTeCTINg Off-NeTWORk DeVICeS?

HOW TO geT STARTeD

ABOUT BRASS VALLeY

ABOUT MICHAeL LIgHTfOOT

fOOTNOTeS

5

7

9

12

13

14

18

21

25

26

26

27




Introduction

According to a Ponemon study, 70% of data breaches come from off-network equipment. This is equipment that has been decommissioned, misplaced, or stolen. However, the vast majority of corporate budgets are spent on protecting on-line assets, although the law makes no distinction between on-line and off-line. Regardless of the network status, the company bears responsibility for protecting sensitive information.

The global market continues to demand better and faster access to the necessary information to respond to the market changes. Consequently, organizations are continuously implementing state of the art devices and deactivating “obsolete” equipment. In working with computers and data security for the last 30 years at corporations such as Allstate Insurance and as attorney for Research and Development at Motorola, we witnessed this process first hand.70%

DATA BReACHeS fROM Off-NeTWORk eqUIPMeNT.




But what becomes of that decommissioned technology? What are the legal requirements when you retire this equipment? Do you have a process for determining what data is on these devices? How do you securely and properly dispose of these devices? What could you prove in a court of law and would your proof be sufficient to be admissible?

every person within the organization must have an increased awareness of the threat to data security. The threat is real and takes many forms including:

• Consumer fraud through identity theft

• exploding corporate espionage intent on embarrassing your organization

• Disgruntled employees

• Organized crime

• State sponsored spying in search of financial and/or competitive advantage

Headlines such as those involving the NSA and data security privacy are seen daily and are usually related to on-line activities. The dirty little secret is that most breaches are occurring off-network. Think about it, if you really wanted to acquire sensitive data, would you rather attack the company where they have their highest level of defense or would you rather attack where they are weakest?

The dirty little secret is that most breaches are

occurring off-network. ”

“




Laws governing the security of Off-Network Devices

• HIPAA - Healthcare

• Sarbanes-Oxley – financial services

• ePA regulations – environmental regulations

• federal Communications Commission regulations –Broadcast providers, phone service providers

• PCI regulations - Credit card data

• fDA (21 CfR Part 11) - Pharmaceuticals

• gramm Leach Bliley – Banking

• PII - Personally identifiable information**

any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and

Dependent on your industry, the laws which govern how off-network devices are managed could include:

** for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the legal term is being used.

1




any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. So, for example, a user’s IP address as used in a communication exchange is classified as PII regardless of whether it may or may not on its own be able to uniquely identify a person.

• State-by-state laws• federal legislation

2

As you can see sometimes regulations may overlap. For example a Healthcare agency that processes credit cards may be governed under

both HIPAA and PCI regulations.




The Undeniable Trend Toward Increasing Regulation & Enforcement

governments at the State and federal levels have recognized the growing exposure related to information security. As a result, to combat these threats, there are growing mandates to control and access our data. evidence of this trend is that many of these mandates are finding their way in legislation not originally intended to address data protection.

Let’s take a look at what has happened in the Healthcare industry with HIPAA, which

is the first of many industries to be effected by this type of regulation in the near

future. Under the American Recovery and Reinvestment Act of 2009, commonly known

as the Stimulus Bill, States Attorneys general were empowered to prosecute HIPAA

violations. So what was once only a federal violation has now become a violation at

both the federal and State level. 1

EXAMPLE 1




In March, 2013 the U.S. Department of Health and Human Services (HHS) moved forward

to strengthen the privacy and security protections for health information established

under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Their Omnibus final Rule greatly enhanced a patient’s privacy protections, provided

individuals new rights to their health information, and strengthened the government’s

ability to enforce the law. The Omnibus Rule marked the most sweeping changes to the

HIPAA Privacy and Security Rules since they were first implemented in 1996. Among

other things, the Omnibus final Rule revised the existing rule on breach notification for

unsecured protected health information under the HITeCH Act.

EXAMPLE 2

The rule added language to the definition of a breach to identify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or Business Associate demonstrates that there is a low probability that the protected health information has been compromised. The rule also removed the harm standard and modified the risk assessment in order to focus objectively on the risk that the protected heath information has been compromised.




The more objective factors that must be considered when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary, are also identified in the Omnibus final Rule. 2

from HIPAA and other regulations we see that electronic devices that store or access private data (in particular health-related and financial-related data) require companies that handle such data to be extremely cautious with this data or risk loss of revenues, negative customer impact (which can trigger lawsuits against you as we will see below) and the bad publicity and its impact on an organization’s reputation. The potential consequences of not being able to prove you have performed due diligence in the protection of sensitive information can be severe.

The potential consequences of not being able to prove due diligence in the protection of sensitive information can be severe. ”

“




Off-Network Devices That Store Sensitive Information

Below is a list of some of the types of equipment that will go off-network at some point in their lifecycle:

• PCs and laptops

• Servers

• Phone systems

• Two-way radios

• Spare parts

• Repaired & Broken equipment

• Network devices

• Copiers

• Camera equipmento Surveillanceo Securityo Sensors

• Smart phoneso Company owned/supplied (Paid for?)o Personal (Bring your own device)

• Tablets

• Cloud

• Aviation electronics

• Medical Devices

• Lottery equipment / gambling Systems

• Wi-fi devices / networking devices

• Telecom systems, VOIP, Digital Phone systems, PBX’s

• Storage arrays

• Tape libraries/ tape drives

• Banking equipment imaging systems / ATMs/etc.

• Broadcast audio video equipment for TV/Movie industry




Information Stored on Off-Network Devices

Off-Network Devices can often contain proprietary internally developed software, network access information that could be used by hackers to identify network routing information and other passwords, confidential client information like social security numbers, patient information, personnel information, and trade secrets.

for example a phone system may have user information on it, a copier may have copies of your most sensitive data stored in its hard drive, networking devices contain IP addresses and passwords that could allow an outsider to penetrate your network.




What is my Liability?

A common misconception is that liability is transferred with the transfer of title to the equipment. However, in reality, liability remains with the owner of the data (for the life of the data) even if that data is no longer in your control! Liability is integrated with the data!

When you sell equipment or transfer it to an asset disposition provider, they have possession, not liability even after transfer of title has occurred.

Your specific liability depends on your role in the company, industry (i.e. healthcare, financial institutions, people that handle credit card information, etc.), and what type of data you have, as well as how you handle the management, storage, and disposal of the device. Here are some examples:

PUbLIC CoMPAnIESPublic companies are subject to the Sarbanes-Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted July 30, 2002), which through its 11 titles, or sections, (ranging

Liability is integrated with the data!




from additional corporate Board responsibilities to criminal penalties), clearly places the legal responsibility for accurate financial reporting (including information security and valuation), squarely on the shoulders of senior management, including the potential for personal criminal liability for CeOs and CfOs.

Recent derivative litigation against the directors (i.e. Walt Disney Company, etc.) suggests that the plaintiffs will attack by a showing of bad faith by directors in their failure to exercise due care.

FInAnCIAL InSTITUTIonSAccording to the federal Register 3 all financial institutions must “develop, implement, and maintain a comprehensive written information security program that contains administrative, technical and physical safeguards.”

Banking and financial institutions must also “take reasonable steps to assure itself that any third party to which it discloses customer information has safeguards that are adequate to fulfill the representations made by the financial institution regarding the security of customer information or the manner in which it is handled by third parties.”




InTELLECTUAL PRoPERTY LIAbILITYOften overlooked in data security discussions, Intellectual Property (IP) protection, especially regarding patents and trademarks, has become increasingly important in most industry sectors in the United States.

Information security in protecting and valuing this IP (including off-line equipment) is one of the key technical and legal issues challenging corporations today. Yet, IP is an often overlooked component of Board strategy, performance and risk.

DIRECToR LIAbILITY Directors need to understand how intellectual property relates to corporate strategy and have processes in place to make certain that critical issues related to the protection of intellectual property are brought to the Board’s attention in a timely manner.

In certain circumstances, federal intellectual property laws hold officers and directors liable for their corporation’s infringing acts.




generally a court will respect a Board’s decision unless the directors are:

• “interested” or lack independence relative to the decision; or

• fail to act in good faith; or

• act in a manner that cannot be attributed to a rational business purpose; or

• reach their decision by a grossly negligent process

It is important to understand when a corporation’s liability can become a personal liability.

The laws governing licensing, copyrights, trademarks and patents each deal with the issues of liability for officers and directors slightly differently. Directors need to clearly understand the circumstances and types of activities that can result in their being held personally liable for infringements, so that corporate directors (and officers) can conduct themselves appropriately and obtain proper insurance and indemnification agreements.

It is important to understand when a corporation’s liability can become a personal liability. ”

“




Ramifications of Data Breaches

The liability that can arise from breaches of data security is a growing legal trend where lawsuits are filed against companies when data, that is considered proprietary or is classified as personal identifiable information, is made public. When a customer, vendor, or patient is harmed through the misuse of their data, your company remains liable.

The liability is generally dictated by a legal theory of damages known as the “Learned Hand formula for Damages.”

1

2

This legal liability model dictates that:

If protecting the data from damages was less costly than the potential damage that could be done from the loss of the data multiplied by the probability of the data loss occurring.

Then the party that was negligent in its duties to protect that data is liable for damages.




The graph below illustrates these above points.

DUE DILIGEnCE

UnderControlled

OverControlled

COMPLIANCE LINE

Achieved Compliance“Reasonable & Appropriate”

Risk Increases Without “Due Diligence”

LIABILITY ZONE

PERFECT SECURITY

RISK MANAGEMENT MATURITY

Security procedures

TREATMENT OF RISK

LIA

BIL

ITIE

S




There are currently lawsuits against the Veterans Administration (just settled for $400,000), and a Blue Cross lawsuit asking $4 billion in damages. Both are examples of the type of liability an organization might be subject to should they fail to be compliant to the regulations and laws to which they are subject. In these examples, the regulations are HIPAA and the recently passed, March 2013, HIPAA Omnibus regulation.

Sarbanes-Oxley, a law passed after the enron fraud, provides for criminal penalties to CeOs, CfOs and others that execute documents where the information turns out to be, through negligence or criminality, false. See “One Man’s Trash...The Same Man’s Liability” (page 3) for a brief example. Sarbanes-Oxley also requires protection of intellectual property (IP) such as trade secrets, computer-aided drawings, formulas, patents, credit card data, and financial accounting information, which more and more are in electronic formats.

$1,000 per record: The average cost in a medical data breach.

25,000 records per incident: The average number of records stolen.

$1.5 million per breach event: Damages Assuming Liability to the company.

This figure only accounts for money paid in damages and does not include legal fees, time lost, reputation damage and other factors.




Protecting Off-Network Devices?

good security practices should remain in effect regardless of the fact that the device (system, component, server, etc.) has outlived its usefulness and is removed from the network. If ever there was a place where an ounce of prevention was worth a pound of cure, this is it.

Our goal here is to first prevent unauthorized access to sensitive data, and, secondly, to create a trail of documentation that validates we performed due diligence in our handling of the sensitive data. Controlled processes and documentation are central to this goal.

This means that internally you need to have written processes that are monitored with a qA program and an asset disposition vendor that gets it when it comes to data security and that will be admissible in a Court of law.




SToRAGE:Are off-network devices containing sensitive information stored in the same area as new equipment, or maybe in a closet for convenience, potentially exposing them to a larger user community and increasing the possibility of theft or inappropriate access to the, as yet, un-scrubbed confidential data? Are there controls in place to restrict access to the equipment and log who has accessed the equipment?

PRE-DEPLoYMEnT:As a foundation of all that follows we recommend inventorying incoming equipment with the use of a database that references an industry standard nomenclature and adheres to that standard. This will save countless hours if reconciliation is required in the future as well as provide evidence of having performed due diligence if a breach occurs.

DECoMMISSIonInG: When decommissioning assets, best practices include placing them in a quarantined room with restricted and monitored access. If you are not destroying sensitive information on site, a full audit of your disposition provider is highly recommended.

Remember, employee theft remains the number one risk factor in any organization!

Some factors to keep in mind as you develop your process are:




If you are destroying sensitive information internally, many times data is hidden in components other than hard drives or sometimes the hard drives are difficult to find. for the highest levels of security, where sensitive information cannot leave the premises, the room should be equipped with all tools necessary to identify where data resides and destroy the data. This includes a searchable database that can be accessed by on-site personnel to locate and destroy sensitive information. qA programs must be in place regardless of where the data is destroyed to ensure the quality of the work performed.

If sending decommissioned assets to an asset disposition provider, take the time to have an accurate inventory of what is leaving your building and reconcile that with the reports they produce. Do not provide the list of equipment to the asset disposition provider in advance. Have a process in place to address discrepancies.

DoCUMEnTATIon:Documentation is used to prove compliance from an environmental and data security perspective. The quality of your documentation and your ability to produce it in a timely matter will greatly impact the outcome of an audit if something were to go wrong. R D’Amico, President Brass Valley

In the near future the public will look at companies who are negligent in protecting sensitive information with the same contempt as companies that pollute the environment. ”

“




An example of proof of network equipment sanitization would be hyper-terminal print screen shots. Video monitoring of shredding may be recommended for your industry.

Best practices include an auditable chain of custody that proves possession two levels downstream from your facility. quality reports for each lot as well as proof of data destruction in a verifiable electronic format are recommended. An example of proof of network equipment sanitization would be hyper-terminal print screen shots. Video monitoring of shredding may be recommended for your industry.

PLAn FoR ThE woRST:Have a response plan in place for what will happen if something goes wrong. find out what you’ll need to do, who will need to be notified, what documentation you will need, what your vendor will do to support you, and what does your insurance cover as well as where does your insurance coverage fall short.

InSURAnCE:Many times asset disposition provider insurance is insufficient to protect you or protects them and leaves you vulnerable. Review the insurance your Asset Disposition provider carries, understand what is covered, what is not, and who is covered. A good policy will cover cyber liability, victim notification and credit monitoring, and unlimited attorney fees to name a few.




How to get started

Many companies struggle with how to get started in addressing security for off network devices. Here are three simple steps you can take to get you headed in the right direction:

Have an assessment provided by an IT lifecycle management company like Brass Valley. With this assessment you will learn where you are exposed and how to close the gaps.

Consult with an attorney experienced in data security and technology law to position your company as best as you can so you are prepared if something goes wrong.

Consult with an insurance provider who is experienced in cyber security to make sure you have adequate insurance to protect you and your company if you have to make a claim. The insurance provider can give you guidance.

1

2

3




About

Brass Valley is an IT Asset Lifecycle Service provider and

industry leader in client protection practices. We work

with clients and industries such as financial services,

healthcare, and the fortune 1000 where protection of

sensitive information is a high priority.

To learn more about Brass valley visit

us at www.BrassValley.com

425 fortune Blvd. Milford, MA [email protected]




1 Under the Act, Subtitle D §13410 specifically provides for improved enforcement from the State’s Attorney generals (SAg).SAg may bring civil actions for alleged violations of the Privacy in Security on behalf of state residence. The ARRA/HITeCH portions of the legislation institute federal breach notification requirements. The Bill extends liability under federal rules to Business Associates Covered entities. The potential consequences of not protecting privacy or security can be severe. Health information is defined as “including demographic information collected from individual if it is created or received by a healthcare provider, health plan, employer, or health care clearinghouse…”

Privacy Rule is defined in 45 CfR, part 164, titled “Security and Privacy”. Subpart D, among other things:o establishes standards for use and disclosure of Personal Health Information (PHI) by covered entitieso establishes individual’s rights with regard to their PHIo Sets out general rules that covered entities/business Associates may only use and disclose PHI as permitted or required by

the HIPAA privacy ruleo Provides standards explaining permitted and required uses and disclosureso Outlines administrative requirements for covered entities.o Addresses security standards and implementation specifications to prevent electronic PHI (ePHI) from unauthorized

disclosure or accesso Defines three types of safeguards that covered entities are required to have in place to protect ePHI:o Administrativeo Physicalo Technical

2 The factors that must be considered as part of the risk assessment are: (1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of

re-identification; (2) The unauthorized person who used the protected health information or to whom the disclosure was made;(3) Whether the protected health information was actually acquired or viewed; and (4) The extent to which the risk to the protected health information has been mitigated.

Depending on the circumstances, other factors may also be considered as part of the risk assessment. 78 fed. Reg. 5566 (January 25, 2013).

3 federal Trade Commission CfR Part 314 Standards for Safeguarding Customer Information; final Rule.

Footnotes
