Скачать презентацию Overview of Data Privacy and Security Breaches Laws Скачать презентацию Overview of Data Privacy and Security Breaches Laws

2fbbba93a9ee649964fbed68a5c0426f.ppt

  • Количество слайдов: 31

Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures Presentation to Overview of Data Privacy and Security Breaches, Laws and Risk Mitigation Measures Presentation to the Greater Washington, DC Chapter of ARMA International Wednesday, March 21, 2007 Bruce H. Nielson

Outline of Presentation § Data Privacy and Security Breaches, Problems and Risks § Data Outline of Presentation § Data Privacy and Security Breaches, Problems and Risks § Data Security Breach Incidents § Additional Risks § Overview of Applicable Laws and Regulations § Federal § International § State § Risk Mitigation Measures § Human Resources-related Measures § Vendor/Service Provider-related Measures § Technological Measures § Q & A

Data Privacy and Security Breaches, Problems and Risks § 104, 137, 499 § Total Data Privacy and Security Breaches, Problems and Risks § 104, 137, 499 § Total number of records containing sensitive personal information estimated to have been involved in security breaches since Jan 2005 – probably a significant underestimation § http: //www. privacyrights. org/ar/Chron. Data. Breaches. htm § Current and recent headlines

Data Privacy and Security Breaches, Problems and Risks (cont. ) § TJX Says Data Data Privacy and Security Breaches, Problems and Risks (cont. ) § TJX Says Data Breach Worse than Previously Believed § Ongoing probe shows it happened almost a year earlier than first thought, as far back as July 2005 § TJX still hasn't disclosed the number of shoppers that may have been affected by the breach; analysts believe the number to be in the tens of millions § Comerica Bank is reissuing cards to its customers whose account information was compromised in the TJX breach

Data Privacy and Security Breaches, Problems and Risks (cont. ) § Hack Attack Forces Data Privacy and Security Breaches, Problems and Risks (cont. ) § Hack Attack Forces Texas A&M To Change 96, 000 Passwords § Texas A&M University is forcing 96, 000 students, faculty, and staff to change their passwords after a hacker attempted a network break-in § The university's computer users can get updated information about the break-in and the ongoing investigation at a University web site. University officials are directing people to the web site for information on how to safeguard personal information

Data Privacy and Security Breaches, Problems and Risks (cont. ) § University of Idaho Data Privacy and Security Breaches, Problems and Risks (cont. ) § University of Idaho Put Staff Data on Web § Personal information for about 2, 700 University of Idaho employees was inadvertently posted at the school's Web site for 19 days in February, though officials say it was not easy to access and there's no reason yet to believe it was misused § A university data file was mistakenly included along with a report from the UI's internal research department that was posted at the department's Web site. It contained information including names, birthdates and Social Security numbers for about 2, 700 university employees, but did not include any personal financial account numbers

Data Privacy and Security Breaches, Problems and Risks (cont. ) § CD with Medical Data Privacy and Security Breaches, Problems and Risks (cont. ) § CD with Medical Data of 75, 000 is Found § A missing CD containing confidential medical and personal information on 75, 000 Empire Blue Cross and Blue Shield members was recovered Wednesday § A spokeswoman for a managed care company that monitors payments for mental health and substance abuse cases of insurers, said the company received a telephone call Wednesday morning saying that the CD was delivered by mistake to a residence in the Philadelphia area. The CD had been missing since January § No way to track whether copies of the CD were made

Data Privacy and Security Breaches, Problems and Risks (cont. ) § PC, Phone Home Data Privacy and Security Breaches, Problems and Risks (cont. ) § PC, Phone Home § Several years ago, Bob installed [email protected] on his wife's laptop, which was stolen from the couple's Minneapolis home on Jan. 1 § Annoyed at the break-in – and alarmed that someone could delete the screenplays and novels that his wife, Sue, was writing – Bob monitored the [email protected] database to see if the stolen laptop would “talk” to the Berkeley servers. The laptop checked in three times within a week, and Bob sent the IP addresses to the Minneapolis Police Department § Officers subpoenaed Bob's Internet service provider, to determine the address where the stolen laptop logged onto the Internet. Within days, officers seized the computer and returned it to the rightful owners

Data Privacy and Security Breaches, Problems and Risks (cont. ) § Former Fruit of Data Privacy and Security Breaches, Problems and Risks (cont. ) § Former Fruit of the Loom Workers' Identities Compromised § A security breach with a Fruit of the Loom database has left former Rabun Apparel Inc. employees on edge § Word spread rapidly across the North Georgia Technical College campus Tuesday morning about how easily one could access the 1, 006 names and Social Security numbers of the former employees § Fruit spokesman said Tuesday evening that every possible step was being taken to purge the information from the Internet. Sometime between Tuesday night and Wednesday morning, it could no longer be accessed

Data Privacy and Security Breaches, Problems and Risks (cont. ) § Thief Stole Credit Data Privacy and Security Breaches, Problems and Risks (cont. ) § Thief Stole Credit Card Numbers from Seed Site § A cyber thief broke into the web site of Johnny's Selected Seeds and stole sensitive customer data, including credit card numbers; in all, 11, 500 accounts were compromised. Approximately 20 of the stolen card numbers have been used fraudulently § The site is now under 24 -hour monitoring to prevent a recurrence; other security measures have also been implemented. Johnny's has notified all people whose account information was stolen. The initial intrusion occurred on February 4, 2007. A company official said "criminals gained access to our internal systems and gathered enough information to allow then to gain access to our web site. " The FBI is investigating

Data Privacy and Security Breaches, Problems and Risks (cont. ) § Downloading from the Data Privacy and Security Breaches, Problems and Risks (cont. ) § Downloading from the Internet § A user downloaded photos of Paris Hilton for her Windows desktop. Windows asked her to say yes to executing the file when she got it. Assuming it was just pictures, she agreed. Within a couple of hours, she knew something was wrong when her computer started to slow down to the point where she was unable to use it. Even when she rebooted, she couldn't launch programs § The IT department determined she had downloaded a Trojan program along with the photo. Her downloaded photo had a malicious payload attached that used her computer to send out spam. Her computer had to be rebuilt to eliminate the program. She lost most of the day and a lot of her personal computer settings in the process

Data Privacy and Security Breaches, Problems and Risks (cont. ) § Plugging in USB Data Privacy and Security Breaches, Problems and Risks (cont. ) § Plugging in USB drives (or any other storage devices or media) that are find lying around § People's natural curiosity and desire to help were exploited by a consultant who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers

Data Privacy and Security Breaches, Problems and Risks (cont. ) § Use of unauthorized Data Privacy and Security Breaches, Problems and Risks (cont. ) § Use of unauthorized software § It may be tempting to useful-looking software that you can get free on the Internet, but these tools may carry a hidden cost. Installing them may often cause other programs to stop working and it can take a long time for your IT teams to track down the problem. More seriously, they can display unwanted ads, slow your PC down or make it less secure by letting the PC download more ads from the Internet. Most seriously, they can be infected by viruses or spyware that are intended to damage your PC or steal confidential information

Data Privacy and Security Breaches, Problems and Risks (cont. ) § Your new ID-theft Data Privacy and Security Breaches, Problems and Risks (cont. ) § Your new ID-theft worry? Photocopiers § No known incidents yet, but potential is very real § Most digital copiers manufactured in the past five years have disk drives to reproduce documents; copiers can retain the data being scanned § If the data on the copier's disk aren't protected with encryption or an overwrite mechanism, and if someone with malicious motives gets access to the machine, sensitive information from original documents could get into the wrong hands § More than half of all Americans may unknowingly put their private financial information at risk this tax season when they copy their tax returns

Data Privacy and Security Breaches, Problems and Risks (cont. ) § Instant Messaging Security Data Privacy and Security Breaches, Problems and Risks (cont. ) § Instant Messaging Security Risks § IM creates new avenues for the distribution of malware (viruses, worms, spyware, etc. ), which can jeopardize the security of a computer network § IM opens new “holes” through which information that is to be kept secure and confidential can be leaked § IM may create “invisible” communications channels that operate below the radar of conventional information security measures

Data Privacy and Security Breaches, Problems and Risks (cont. ) § Wireless and Voice Data Privacy and Security Breaches, Problems and Risks (cont. ) § Wireless and Voice Over the Internet Protocol (“Vo. IP”) Security Risks § Interception or capture of transmissions or packets § Modification of transmissions or packets § ID theft and theft of services; hijacking a Vo. IP call and masquerading as the intended called party § Denial of service attacks that disrupt all data streams

Data Privacy and Security Breaches, Problems and Risks (cont. ) § Employees and Vendors Data Privacy and Security Breaches, Problems and Risks (cont. ) § Employees and Vendors Weak Points in Data Privacy and Security Strategy § With news of another high-profile data security breach almost a daily occurrence, companies must ensure two crucial weak points — their employees and third-party vendors — are covered in their data privacy and security protocols § Employers are responsible for employee theft of information, and may also liable if they don't ensure third-party vendors have sufficient controls in place

Data Privacy and Security Breaches, Problems and Risks (cont. ) § Most Data Breaches Data Privacy and Security Breaches, Problems and Risks (cont. ) § Most Data Breaches Traced to Company Errors § Research from the University of Washington, Seattle says that organizations are more often to blame for data security breaches than outside intruders § Looked at 550 data breaches that received media coverage between 1980 and 2006 § Two-thirds of the breaches could be traced to lost or stolen equipment and a variety of management or employee errors § Less than one-third of the breaches were the work of outside attackers

Data Privacy and Security Breaches, Problems and Risks (cont. ) § Intel Fails to Data Privacy and Security Breaches, Problems and Risks (cont. ) § Intel Fails to Keep Antitrust Email § Intel said it has not properly preserved emails related to its ongoing antitrust litigation with rival Advanced Micro Devices § In a court filing, lawyers for Intel blamed human error for a number of "inadvertent mistakes" that it says resulted in certain employees failing to retain outgoing emails as required as well as some employees not receiving timely instructions to save documents

Data Privacy and Security Breaches, Problems and Risks (cont. ) § What’s the solution? Data Privacy and Security Breaches, Problems and Risks (cont. ) § What’s the solution?

Overview of Applicable Laws and Regulations § Federal Data Privacy and Security Laws § Overview of Applicable Laws and Regulations § Federal Data Privacy and Security Laws § Gramm-Leach-Bliley Act (1999) § Applies to “Financial institutions” § Protects non-public personal financial information of consumers § Regulations promulgated by the banking regulators, the SEC and the FTC § Has data privacy and security requirements § Notice and opt-out model

Overview of Applicable Laws and Regulations (cont. ) § Federal Data Privacy and Security Overview of Applicable Laws and Regulations (cont. ) § Federal Data Privacy and Security Laws (cont. ) § HIPAA – The Health Insurance Portability and Accountability Act of 1996 § Applies to health care providers, health plans, and companies that receive and process health information from health care providers and health plans – so-called business associates § Requires Business Associate Agreement § Protects “individually identifiable health information” § Does not apply to de-identified health information

Overview of Applicable Laws and Regulations (cont. ) § Federal Data Privacy and Security Overview of Applicable Laws and Regulations (cont. ) § Federal Data Privacy and Security Laws (cont. ) § Fair and Accurate Credit Transactions Act of 2003 § Prohibits all persons and entities that accept credit cards and debit cards for business transactions from printing more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction

Overview of Applicable Laws and Regulations (cont. ) § Federal Data Privacy and Security Overview of Applicable Laws and Regulations (cont. ) § Federal Data Privacy and Security Laws (cont. ) § Proposed federal legislation for a data security breach notification law § It's Round 2 in Congress' bid to craft federal law that would require businesses to notify U. S. consumers about computer data-security breaches. Some believe that legislation introduced in February soon could become law, given the cooperative tone of federal lawmakers. That would be a reversal from the previous few years, when members of the House and Senate could not agree on a national data-breach law, and dozens of states passed their own laws

Overview of Applicable Laws and Regulations (cont. ) § Foreign Laws § EU Data Overview of Applicable Laws and Regulations (cont. ) § Foreign Laws § EU Data Directive – Directive 95/46/EC of the European Parliament and of the Council of October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data § Canadian Privacy Law – An Act to Support and Promote Electronic Commerce by Protecting Personal Information that is Collected, Used or Disclosed in Certain Circumstances. . . § Notice and opt-in model

Overview of Applicable Laws and Regulations (cont. ) § State Laws § Non-disclosure of Overview of Applicable Laws and Regulations (cont. ) § State Laws § Non-disclosure of Social Security Numbers § More than half of the states have laws that prohibit the disclosure of “whole” social security numbers without consent § Data security breach notification laws § Nearly three quarters of the states have laws that require notification of affected individuals in the case of a data security breach incident, along with certain remedial measures

Overview of Applicable Laws and Regulations (cont. ) § Absence of Federal Data Breach Overview of Applicable Laws and Regulations (cont. ) § Absence of Federal Data Breach Notification Law, and Passage of State Laws, Results in. . .

Risk Mitigation Measures § Human Resources-related Measures § Employee background checks § Employee training Risk Mitigation Measures § Human Resources-related Measures § Employee background checks § Employee training and education § Acceptable use policies for emails, IMs, downloads, and use of the Internet and company systems and equipment § Disclaimer of privacy when using company assets § Appropriate monitoring of usage § Appropriate actions against violators

Risk Mitigation Measures (cont. ) § Vendor/Service Provider-related Measures § Background checks of vendor Risk Mitigation Measures (cont. ) § Vendor/Service Provider-related Measures § Background checks of vendor and service provider personnel § Vendor and service provider agreements to comply, and to cause their employees to comply, with applicable laws and with vendee’s data privacy and security policies § Indemnification from vendors and service providers against costs, losses and expenses from any data security breach or failure to comply with applicable law or vendee’s policies

Risk Mitigation Measures (cont. ) § Technological Measures § Password protection for computers, devices, Risk Mitigation Measures (cont. ) § Technological Measures § Password protection for computers, devices, networks, documents and databases § Physical security for servers, equipment, devices and data and document storage and processing areas § Data encryption § Internet firewalls, email filters, anti-virus software programs and meta data scrubbing programs § Tracking of missing/stolen devices § Data security breach response plan

Questions and Answers Questions and Answers