Data Security Breaches: A Legal Guide to Prevention and Incident Response
By Stephen Wu
I. Why Worry About Data Security?
Data breaches continue to be an everyday occurrence. We see them in the news all the time. The recent Equifax breach is only the latest in a long string of breaches. Competitors, former employees, and state-sponsored groups seek companies’ trade secrets in order to bolster competing businesses. Hacktivist groups seek to damage the reputation of companies by publicizing sensitive information. Organized crime rings seek sensitive information for profit.
The consequences of data breach liability are becoming apparent. Merchants sued for data breaches are paying staggering amounts to investigate and settle the cases against them. The TJX Companies set aside $107 million to cover the litigation against it and regulatory actions. Heartland Systems set aside $73.3 million for breach expenses in 2009.
Although TJX and Heartland are huge cases, other companies discover (or perhaps fail to discover) smaller security breaches every day. For instance, former employees departing companies commonly misappropriate trade secrets and confidential information as they leave their employment. Security breaches, both large and small, cost companies real money every day in investigation and remediation costs, litigation costs, customer anger, reputation losses, loss of competitiveness, and ultimately, loss of revenue and shareholder value.
II. Business Risks
Security breaches damage a company’s business and create financial and legal risks. First, a security breach involving the loss of trade secrets or confidential information may imperil the future of a company’s business. Companies depend on keeping the new product and services they are developing away from competitors. Customer lists are critical to sales efforts. The loss of these key assets jeopardizes a company’s ability to compete in the marketplace.
Second, the costs involved with responding to a security breach are considerable. Companies responding to breaches may hire computer forensic experts to examine the cause of the breach and preserve evidence. They may retain information security firms to close vulnerabilities. In addition, companies may engage public relations and crisis communications experts to deal with consumers and the public to protect their reputation. All of these expenses are in addition to legal fees incurred in the investigation and possible defense of claims brought by consumers against companies that compromised their personal information. For major breaches, the legal fees alone could amount to millions of dollars.
Finally, security breaches impact a company’s reputation. Customers may start to feel uncomfortable doing business with a company that apparently did not, before the breach, prevent the compromise of their sensitive information. The loss of reputation may cause customers to move to competitors or deter potential customers from doing business with the company. A reduction in customer business hits the pocketbook with reduced sales revenue and lost profits. Ultimately, the damaged reputation and diminished revenue stemming from a breach may reduce shareholder value and cause stock price drops.
III. Different Facets of Information Security Law
What is information security law? Information security law is an emerging area of law focusing on one of our society’s most valuable sources of wealth – information. Information security law is nothing new. Nonetheless, information security law is “emerging” in the sense that it has arisen largely in the last two decades, as opposed to more traditional areas of law, like real estate, that have been with us since the founding of the United States. It has also emerged because developments in the law have been accelerating in recent years.
Returning to the original question, what is information security lawyers? Also, what do information security lawyers do?
Information security law, or infosec law, is in some ways a new area of law. In other ways, it is a new area of practice for law firms and has an industry-specific focus. This article discusses all of the dimensions of information security law.
Information security, as an emerging area of law, includes a number of components. First and foremost, information security lawyers counsel their clients on requirements to keep data and information systems secure. These requirements may stem from public law (statutes and regulations) or private arrangements made via contracts. Infosec lawyers help clients answer the key question: What does my company need to do to comply with infosec requirements under applicable law and contracts?
Second, infosec law addresses liability that arises from security breaches or defects in security products or services. Parties injured by a security breach may sue to seek damages or an injunction against the parties responsible for the breach. When the perpetrators are unable to be found or it isn’t worth suing them, injured parties may sue others who supposedly allowed the breach to occur or failed to stop it. Companies purchasing security products or services may sue their vendors when the products or services don’t work as advertised or when they fail to prevent a breach. Infosec lawyers bring suit on behalf of the injured party or defend these kinds of suits.
Third, infosec law covers secure electronic commerce. Secure electronic commerce answers questions, such as:
- How do parties form contracts online?
- Are online contracts treated the same as paper contracts under the law?
- What must a person or business do to authenticate himself, herself, or itself to another party online?
- What must be done to tie an individual or business to an online transaction and hold that party accountable for it?
- How can you show that a person has agreed to an online transaction: an electronic signature, a secure form of electronic signature, or a digital signature?
Secure electronic commerce systems or programs may, for instance, establish a trading community in which a large organization can procure products or services from its vendors. Electronic “commerce” can also include e-government services. For example, an environmental regulatory agency may establish an online presence to accept submissions of environmental reports and disclosures. E-commerce lawyers counsel clients concerning ways to establish secure e-commerce systems, the interplay between background law and contracts involved in establishing these systems, and liability concerns arising from e-commerce activities.
In addition to being an area of law, infosec law is also a law practice. Lawyers from a variety of traditional practice areas may work in the information security area. For instance, lawyers specializing in government regulatory matters may advise clients on federal or state statutes that impose infosec requirements. Attorneys working in government affairs in Washington or state capitols may become involved in lobbying efforts for or against new infosec legislation, such as the federal breach notification bills. Litigation lawyers are likely to be the professionals handling disputes arising from security breaches. Finally, members of technology transactions groups are often the first lawyers called in to counsel clients seeking to protect sensitive information in IT arrangements or engage in secure e-commerce, although technology attorneys with the specialized skills needed to provide in-depth advice have created a distinct sub-specialty within the technology transactions umbrella.
Finally, information security lawyers focus on one industry: the information technology industry. Some law firms have IT law groups whose work includes addressing the specific needs of vendors of information security products and services. Infosec lawyers need to develop deep IT experience and exposure to clients that depend on IT for their operations and sometimes their entire livelihood. More recent trends, such as cloud computing, pose even greater challenges to the legal community.
Infosec lawyers cultivate contacts among IT professionals and infosec professionals, in particular. Servicing clients’ infosec legal needs is a multi-disciplinary endeavor, and lawyers are creating fruitful partnerships and relationships with outside and in-house technical experts. Lawyers in the infosec field simply cannot perform their jobs alone. They require considerable assistance from experts with the technical expertise to provide comprehensive advice to clients.
In sum, information security is at once an emerging area of law, an area of practice and an industry focus. As with new areas of the law in the past, attorneys practicing infosec law are those who have experience in allied areas of law and who have IT and infosec technical expertise. The mix of technical and legal issues, the need to work with multi-disciplinary teams, and the novelty of the field challenge infosec lawyers, but make for a fascinating area of the law.
IV. Compliance with Security Laws
Over the years, state, federal, and international data security laws have proliferated. These laws impose security requirements on the businesses and governmental entities that they cover. At first, these laws focused on specific sectors of the economy, such as financial services, health care, or government. Later, state legislatures, foreign governments, and international bodies created more general data protection laws that cut broadly across sectors. Some of these laws establish only general requirements, such as the mandate to protect certain kinds of information with “reasonable security.” Others provide a much more detailed set of requirements, some that even relate to the use of specific technologies, such as encryption.
Most security-related laws mandate the implementation of security controls to protect security-sensitive information. Other laws, however, create business opportunities if companies adopt security technologies.
A. Sarbanes-Oxley Act
Congress enacted the Sarbanes-Oxley Act (SOX) to cover publicly traded corporations and address financial scandals, such as Enron and WorldCom. SOX addresses fraud in the finance departments of public companies by requiring that public companies establish reliable “internal controls” for gathering, processing, and reporting financial information with the ultimate goal of ensuring accurate reporting of public companies’ finances for the benefit of investors. While SOX and its regulations do not directly require specific data security controls, auditors and leading organizations have created guidance documents to define internal controls, and some of the guidelines address information security controls as a foundation for creating strong internal controls.
B. Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) loosens certain regulations on the financial services industry. However, it contains privacy and security requirements on financial institutions, which GLBA defines broadly. GLBA and regulations under it call for financial institutions to protect the privacy of its customers and to protect the security and confidentiality of their customers’ nonpublic personal information.
C. Federal Information Security Management Act
Congress passed the Federal Information Security Management Act (FISMA) to promote the security of federal agency information systems. FISMA requires that agencies create and implement security programs and report the results of these programs to the Office of Management and Budget, which reports the results to Congress. The National Institute of Standards and Technology (NIST) provides guidance with publications containing specific technology controls and standards for agencies to implement and meet.
D. Fair and Accurate Credit Transactions Act/Red Flags Rule
The Fair and Accurate Credit Transactions Act (FACTA) helps to reduce consumer risks associated with identity theft. Under FACTA, the Federal Trade Commission (FTC) and other agencies promulgated what are known as the “Red Flags Rules,” which covers financial institutions and creditors that hold consumer accounts. Covered entities must create an Identity Theft Prevention Program for combatting identity theft, which include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. These policies and procedures should include information security controls.
E. Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA), among other things, helps workers by protecting the portability of their health coverage. However, HIPAA contains administrative simplification provisions promoting electronic health transactions and protecting the privacy and security of health information as it is processed in these transactions. Under HIPAA, the Department of Health and Human Services enacted comprehensive and broad privacy rules and security rules, which call for specific security controls. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) within the American Recovery and Reinvestment Act of 2009, as well as final HIPAA/HITECH regulations issued in 2013, expanded the scope of the HIPAA Security Rule and included new breach notification requirements regarding the compromise of health information.
F. California Confidentiality of Medical Information Act and Other State Privacy Laws
The California Confidentiality of Medical Information Act and other California laws prohibit healthcare providers from disclosing patient records without authorization. Moreover, other California laws prohibit healthcare workers from “snooping” in patient records, which were enacted after high-profile security breaches resulting from hospital workers looking at celebrities’ records. Newer legislation requires healthcare providers to protect the integrity of medical records and log access to them.
G. California SB 1386 and AB 1950
California was the first state to enact a breach notification law, SB 1386, requiring businesses and state agencies to notify affected California residences whose personal information was compromised. SB 1386 covers personal information in the form of a driver’s license/California ID card number, social security number, or financial account number (with access code) in combination with a last name and first name or initial, as well as medical records. The law covers businesses that own or license such personal information. SB 1386 requires them to notify California residences whose unencrypted personal information was or is reasonably believed to have been, acquired by unauthorized person.
California’s AB 1950 covers the same category of businesses and personal information. Under AB 1950, covered entities must implement reasonable security procedures and practices to protect personal information against unauthorized access, destruction, use, modification, or disclosure. AB 1950 does not call for specific security controls.
Other states and nations have laws or guidelines similar to both SB 1386 and AB 1950.
H. State Consumer Protection Laws
California has three laws commonly used in consumer claims against product and service providers. First, California’s Unfair Competition Law (UCL) strikes at “unfair competition,” including unfair and deceptive trade practices. The UCL appears at Business & Professions Code Section 17200 and following sections. Second, California’s False Advertising Law prohibits making untrue or misleading advertising statements. Finally, the California Consumers Legal Remedies Act prohibits specific categories of unfair and deceptive trade practices.
I. Cybercrime Laws
Federal and state cybercrime laws prohibit, among other things, gaining unauthorized access to computer systems, damaging computer systems, or spreading malware. The federal Computer Fraud and Abuse Act is a criminal statute. It creates a private right of action for victims of certain categories of cybercrimes. While these laws do not establish security requirements per se, they may become relevant to the conduct of company personnel. Companies should train and supervise their employees to prevent them from violating these laws in developing products, delivering services, or the conduct of their business.
J. EU General Data Protection Regulation
In May 2018, companies collecting and processing personal data from citizens of the European Union and European Economic Area (the EU plus Iceland, Liechtenstein, and Norway) will need to comply with the EUP General Data Protection Regulation or “GDPR” for short. The GDPR is a law that recognizes the fundamental rights of individuals (called “data subjects”) to certain privacy rights. As a regulation, the law imposes a uniform framework of privacy requirements on the member states of the European Union and the European Economic Area.
GDPR covers a wide variety of “personal data.” “Personal data” means any information relating to an identified or identifiable natural person, including but not limited to names, health information, financial information, email addresses, and even IP addresses, phone numbers, and device identifiers.
Businesses in the United States that have a European presence or are cultivating a customer base in Europe are potentially covered. In addition to certain privacy protections, Article 32 of GDPR requires companies collecting personal data (“controllers”) and data processors working on behalf of controllers to implement security controls. Controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including ensuring the confidentiality, integrity, availability, and resilience of processing systems and services.
V. Liability Risks
When high-profile security breaches cause the loss of consumer personal information, lawsuits frequently follow. In fact, in the Sony PlayStation security breach, lawyers filed a class action against the company nine days after the breach occurred. If your company holds consumer personal information, a class action against your company is a significant risk if a data breach occurs.
Plaintiffs have asserted a number of claims against companies that have experienced data breaches. First, they frequently assert negligence claims against the defendant companies. Typically, plaintiffs claim the company had a duty to protect the security of personal information, the company failed to exercise reasonable care to protect that information, a breach occurred as a result, and the breach caused the plaintiffs damage.
Second, plaintiffs may assert a breach of contract claim against the company hit by the breach. They may point to express promises of security or claim an implied contractual duty to protect information. They then contend that the compromise in security constituted a breach of the contract between the company experiencing the breach and its consumer customers.
Finally, plaintiffs may assert statutory claims against the company based on laws against unfair and deceptive trade practices or laws against false advertising. They may contend that inadequate security is an unfair trade practice, misleads consumers (perhaps because of advertised assurances of security), or is illegal under data security laws. The violations may entitle consumers impacted by the breach to a refund of their payments to the company. In addition, the FTC may bring an enforcement action against a company experiencing a breach for these same reasons.
Companies may also face information security liability for alleged privacy violations or by failing to supervise their employees. If companies roll out products or services that allegedly violate consumer privacy by accessing their applications or devices without permission, they may be sued for violating cybercrime laws. In addition, if rouge employees within companies gain unauthorized access to competitors’ computer systems to uncover business intelligence, they may face cybercrime claims based on the unauthorized access.
VI. How to Prevent Breaches?
Preventing data breaches requires a combination of approaches to manage people, processes, and technologies to implement robust security controls. This section addresses the security controls that can help you minimize the risk of security breaches. It is impossible to prevent all data breaches, and it would be cost-prohibitive to try. Nonetheless, each organization will need to conduct its own risk management process to settle on a balance between implementing controls to minimize the risk of breaches and the time, effort, and money needed to implement such controls.
This section refers to a business covered by a security policy as the “Covered Entity.”
A. Administrative Controls
Administrative safeguards are the non-technical, “soft” measures that management establishes regarding acceptable employee conduct, personnel procedures, and correct technology usage within the enterprise.
1. Risk Analysis and Management
Risk analysis consists of four components:
- Asset identification and valuation
- Threat identification
- Vulnerability identification
- Risk identification.
2. Asset Identification and Valuation
The term “assets” refers to items of value to the Covered Entity, which includes (among other things) computer hardware, mobile devices, software, records, and other information. Asset identification and valuation involves listing assets to be considered within the scope of the risk assessment. Once identified, the Covered Entity needs to assign the appropriate value to each asset, which can be monetary or simply a qualitative measure of the asset’s value (e.g., high, medium, or low).
3. Threat Identification
A threat is a negative event that has the potential to damage an asset that is vulnerable to such a threat. Information security threats compromise the confidentiality, integrity, or availability of information. Threats may be intentional, such as a hacker attempting to break into a network. Additionally, threats may also be inadvertent, such as the mistyping of an e-mail address, which may be attributable to natural human carelessness or fatigue. Threats may extend beyond human conduct, whether intentional or not, to natural or physical phenomena. For instance, hurricanes and earthquakes pose threats to the availability of information when they strike data centers and the equipment operating in them.
4. Vulnerability Identification
A vulnerability is a weakness in an asset that allows a threat to damage that asset. This weakness can stem from the lack of a control designed to protect the asset, a weakness in the control, or in a characteristic of the asset itself. Threats have the potential of exploiting these weaknesses to damage the confidentiality, integrity, or availability of the asset. Because vulnerabilities only exist in the context of a threat, the Covered Entity must carefully consider which threats are relevant to them when assessing the vulnerability of an asset to a particular threat.
5. Risk Identification
The risk identification step analyzes risk based on the likelihood that a threat will exploit a vulnerability and the impact that event would have on the vulnerable asset. The Covered Entity can use existing questionnaires, interviews with experts, past history and other means to determine the risks the organization may encounter. The Covered Entity should document potential risk elements as part of its risk management process. High risks are those involving threats that occur frequently and/or exploit vulnerabilities of high-value assets. Low risks are those where a minor vulnerability may expose a low-value asset to unlikely or infrequent compromise or loss. Even when the risk identification step is completed, there is a remaining “unidentified risk.”
Risk Management describes the continuous, iterative process of:
- Analyzing changes to the Covered Entity’s environment, including such factors as: (i) implementation of new technology and associated vulnerabilities; (ii) developments in new threat technology; (iii) changes to organizational structure and business goals; and (iv) changes in regulations.
- Measuring and prioritizing risks and corresponding mitigation measures and incorporating them into a Risk Management Plan.
- Implementing those mitigation measures defined in the Risk Management Plan.
The Risk Management Plan should address how a risk is to be managed to an acceptable level. Risks may be prioritized on the basis of degree of risk, magnitude of harm that a threat could cause, the cost to mitigate a vulnerability, business goals and critical needs, and expected effectiveness of mitigation measures.
6. Security Management Function
A Covered Entity should have a person in charge of the information security function at the company. For purposes of accountability, that one person should be accountable to senior management and ultimately the board of directors or equivalent. If the Covered Entity does not have such a person, then the security function is scattered, multiple people may attempt to shift responsibility among themselves, and critical security tasks may fall through the cracks. Frequently, management assigns security oversight in a company to a Chief Information Security Officer.
7. Hiring/Supervising/Terminating Workers/Single-user Accounts/Accountability
People are the weakest link in any security program. To address this vulnerability, the Covered Entity must institute policies, procedures, and standards for ensuring that the security risk of the workforce itself is managed. Those workers without the need to access should not be given access rights, and workers without explicit access rights should be denied access to security-sensitive information. To comply with these administrative safeguards, the Covered Entity, through administrative procedures, should implement the following three procedures:
- Authorization and/or supervision (granting access privileges and supervising workers’ access to security-sensitive information),
- Workforce clearance procedure (managing the hiring and HR policies of the Covered Entity to ensure that it fills roles with trustworthy and competent personnel), and
- Termination procedures (revoking access privileges and obtaining the return of devices, media, and security-sensitive information).
8. Access Management
These administrative procedures govern how Covered Entities grant access privileges for applications, workstations, and security-sensitive information to authorized people in the organization. When determining who in the organization should access systems, programs, databases, or other intermediaries to security-sensitive information, management should consider policies that limit access to the minimum number of people and minimum extent necessary for employees to perform their job. Granting privileges that exceed the minimum required for proper job performance can add risk to the security and privacy of sensitive information.
9. Security Awareness and Training
People cannot perform their duties securely unless they are familiar with the entity’s security policies and procedures. Awareness allows employees to grasp the importance of security and its role in protecting privacy. Training focuses on how to use the security features and maintain a secure information-processing environment.
Reminders: training and awareness are continuous, not one-time events. The Covered Entity must have an ongoing, periodic security awareness and training program. Its goal should be to keep staff updated on the latest risks and threats the system is facing, as well any changes in the Covered Entity’s security programs.
Malware/Social Engineering:The organization must have a policy and procedure on how it will protect itself from malicious software and phishing attacks. Malicious software can be any code that affects the confidentiality, integrity, and availability of security-sensitive information. Examples of malicious software include viruses, worms, and Trojan Horses. Most recently, companies have been victimized by numerous “ransomware” attacks in which malicious software encrypts a company’s data and attackers demand a ransom to decrypt the information.
Software can enter the environment from many sources including email, USB drives and other media, employee-installed software, and websites. Phishing attacks involve sending messages to people to get them to sign into phony sites and disclose their login credentials, which can be harvested and used for impersonation, identity theft, and other malicious purposes.
Log-in Monitoring: the Covered Entity should have appropriate procedures for monitoring attempts to log into systems or applications that contain or can access security-sensitive information and for reporting anomalous events. Examples of these events include:
- Unusual times for a workstation to be active or logged in (such as well after business hours or during an employee’s off time), which may indicate an employee may be trying to get protected information outside of the scrutiny of his/her supervisor, or an attacker may be attempting to gain unauthorized access.
- Unusually high numbers of failed login attempts (which might indicate that an attacker is trying to log in, does not know the password, but is attempting to guess the password).
- Password/Credential Management
Covered Entities can train their personnel to choose and maintain secure passwords used for access control to systems and information. Passwords may have security standards themselves such as:
- Minimum length.
- Complexity (e.g., required numeric and non-alphabetical characters, lower and upper case letters, etc.).
- Difficulty of guessing (e.g., avoidance of dictionary words, maiden names, pets’ names, spouse’s name, etc.).
- Minimum and maximum usage time dictating when they must be changed.
Password management and password confidentiality policies and procedures directly affect the security of the accessed system or application.
If the Covered Entity uses authentication methods other than passwords, such as smart cards or other hardware tokens, it should have policies and procedures for issuing, managing, and revoking credentials associated with such devices.
10. Incident Response and Handling
The Covered Entity should train all personnel to be aware of events that may show a security incident took place. It should also establish mechanisms and procedures for reporting such incidents as potential security incidents, and procedures for investigating and responding to such incidents.
As a response to incidents, Covered Entities must take steps to mitigate the effect of incidents. Mitigation may take the form of closing a vulnerability that caused the incident, retrieving information that was lost or misappropriated, implementing a new security safeguard, or strengthening an existing safeguard.
In any event, Covered Entities should document incident reporting and handling to make a record of what happened, assist in managing future efforts to respond to the incident, and facilitate remedial actions to prevent similar incidents in the future.
11. Backup/Disaster Recovery/Business Continuity
Data backup planning and execution involves more than occasionally making a copy of security-sensitive information and storing it somewhere. Backup planning and implementation should be a formal process that includes planning for:
- Backup frequency and maximum allowable data loss. The backup frequency (e.g., once per week, once per day, once per hour) and the location of the backup media determine the maximum allowable data loss (the amount of data that wasn’t backed up, but now due to the emergency or other incident, is not retrievable).
- Maximum time to restore. This metric determines how long it will take to move the backup copy into service. Different methods of storage – tape, optical disk, etc. – require different amounts of time to restore.
Backups need the same security protection as information receives in its primary (production) systems for normal use. Backup policies and procedures must be subject to the same management controls as the production services.
12. Assessment
No policy or procedure lasts forever. Management should ensure that policies and procedures are kept current with prevailing security threats, information system vulnerabilities, and security and privacy risks. Management should identify the policy and procedure evaluation frequency (such as once per year, etc.) and document it in the Covered Entity’s security policies and procedures. Covered Entities need to maintain version control of all policies and procedures. All personnel and advisors should be working with the most recent version of a policy or procedure.
13. Third-Party Supervision
Today, outsourcers and vendors perform many key roles for Covered Entities. When performing these functions, they will likely have access to security-sensitive information. Covered Entities should put into place appropriate agreements to require that third-party service providers protect the security of such information. Agreements should identify the information that needs to be protected, require assurances of security, contain a mechanism to assess compliance, require notification if a security breach occurs, and impose consequences in the event of a breach.
B. Physical Safeguards
Physical safeguards consist of the business policies, procedures, and recordkeeping required to protect a Covered Entity’s physical facilities and equipment that contain security-sensitive information against specified hazards.
1. Facility Planning
Part of planning for physical safeguards involves protecting information systems from physical intrusions, such as break-ins, and from workers with legitimate access to some facilities seeking to gain unauthorized access to facilities to which they have no access privileges. A Covered Entity should have documented and implemented policies and procedures to limit who has physical access to information systems, such as who has the ability to touch the information system component’s keyboard, to look at its screens, to access servers, or to take a laptop out of the workplace and into the home or car.
Data center construction involves complex planning to protect sensitive systems in high-security zones. Information security professionals speak of protecting sensitive systems with multiple physical security tiers. A tier is a self-contained protected area that cannot be accessed from outside without entering through an opening to which access is controlled, for example a locked door. High security zones are protected by multiple tiers of physical security.
Because information systems are increasingly mobile, the physical premises, interior, and exterior of a building that contains sensitive information could include an employee’s home or other structure outside the general intuitive meaning of a workplace building. Thus, the concept of a controlled facility may extend into these non-traditional areas. The Covered Entity must consider the impact of physical security across its entire extended facility.
2. Workstation/Mobile Device Use Policies and Procedures/BYOD
The mobile revolution has engulfed the business world. People are increasingly using tablet computers, smart phones, and other mobile devices to perform business-critical functions. At the same time, people still use PCs for much of the intensive work they do, such as writing lengthy reports, doing work that requires the use of large displays, or running processor-intensive applications. Theft and loss of mobile devices and laptops are still leading causes of data breaches. Office break-ins show that even desktop PCs and servers are vulnerable to theft. Both computers and mobile devices require protection, and the Covered Entity should have policies and procedures in place to prevent the accidental loss and theft of computing devices.
In addition, companies are increasingly embracing “bring your own device” (BYOD) – a policy that permits workers to choose the mobile device they want to perform work functions. Companies may pay for such devices, may subsidize the cost, or may simply require employees to bear the cost of such devices. BYOD advocates tout the policy’s ability to increase worker productivity and acceptance, since they are using devices they like and feel most comfortable with. Companies that shift some or all of the cost of devices on employees may see savings.
On the other hand, BYOD policies have their own set of security and privacy challenges that companies must consider before adopting them. For instance, among other things, companies must have policies, procedures, and technology to secure company information stored on it, ensure that mobile devices do not introduce malware into the company’s systems, ensure that they meet company security standards, register the devices, control access to company networks when workers are using them, and ensure that they have access to such devices in the event of an ediscovery request or upon termination of the worker.
3. Physical Safeguards Around Workstations
Workstation security involves the Covered Entity assessing and managing the risk of what work is being done and where. Administrative and technical safeguards may be taken into account when a Covered Entity determines the overall risk to information security that a particular location poses. The use of partitions, and the layout of workstation may reduce the risk of unauthorized viewing of information on screens. Locks may prevent visitors from taking devices from the workstation area.
Strong authentication, encryption, and software access controls, for example, may mitigate risks of poor physical security. Laptops and other mobile devices often contain these kinds of technical safeguards to mitigate risks to confidentiality.
4. Inventory and Media Control and Disposal
The Covered Entity should inventory and track the devices under its control. A failure to know what devices it has could allow personnel or persons outside the Covered Entity to take devices without authorization and without detection. An updated inventory allows the Covered Entity to notice if devices are missing and to investigate any discrepancies.
The Covered Entity should have policies and procedures to ensure that security-sensitive information located on hardware or electronic media is in fact destroyed prior to its disposal. “Disposing” can include reusing a piece of hardware for applications that do not require access to security-sensitive information. All security-sensitive information should be erased before reuse or disposal. When erasure is impractical, as in the case of a CD-ROM, the Covered Entity should physically destroy the electronic media.
One particular threat is the reuse or disposal of a workstation or laptop that previously stored or processed security-sensitive information. Simple file deletion generally does not permanently erase the information, and many utilities can easily recover these files. The Covered Entity should use a secure data destruction methodology to cleanse any storage media before reusing it.
C. Technical Safeguards
Technical safeguards are security controls protecting security-sensitive information that are carried out via technology or managed by technology. Security hardware and software enable the Covered Entity to implement such controls. Among other things, technical safeguards prevent unauthorized access to security-sensitive information, protect against malware, provide audit trails for investigation or assessments, and prevent corruption or tampering with systems.
1. Access Control Technology
Access control systems should identify, authenticate, and authorize people and processes, implement a method of mediating access to information based upon the authenticated entity’s authorization, and log information accesses for later review. The Covered Entity should prepare policies and procedures on how it manages access control to security-sensitive information. These policies and procedures should include controls to ensure:
- Every user is uniquely identified and authenticated.
- User activity is logged.
- Access controls are in place and are effective (e.g., security-sensitive information is kept secure and/or encrypted to ensure its confidentiality).
In addition, the Covered Entity should have systems to prevent unauthorized access to systems containing security-sensitive information (e.g., firewalls) and detect intrusions (e.g., intrusion detection systems).
2. Patching/Updates
Covered Entities should have systems for regularly updating system and application software. Software manufacturers regularly issue patches and software updates to address security vulnerabilities and improve the ability of the software to resist attacks. Keeping software up-to-date will lower the risk of exploits and malware. The recent Equifax breach apparently stemmed from the company’s failure to update software to address a known vulnerability.
3. Logging
Covered Entities should have a technical method for logging user and system activity and a method, automated or procedural, for examining that activity log sometime in the future. The overall intent of this requirement is to give the Covered Entity a means of monitoring user access to security-sensitive information and to hold users accountable for their access behavior. Logs of machine processes assist in monitoring the status of systems, and may assist in investigations of malicious activity, as well as possible corruption or software errors.
4. Integrity Controls
Covered Entities should use technology to prevent, or at least detect, improper data alteration and destruction from causes such as:
- Equipment failure.
- User accidents.
- Malicious user acts.
Technologies like redundant arrays of inexpensive disk (RAID), error-correcting memory, and fault tolerant (clustered systems) already exist to reduce risk of data alteration or loss from equipment failure. Well-designed user interfaces to databases and applications can reduce accidental data alteration or loss. Digital signature technology assists in identifying and preventing malicious user data manipulation or corruption.
5. Authentication
Authentication technology permits a Covered Entity to know that an authorized person, entity, or process is gaining access to information or systems. Systems commonly use passwords, tokens, biometrics, or dial-back techniques to verify an individual’s or entity’s identity. Covered Entities frequently use these authentication technologies to control access to security-sensitive information.
6. Transmission Security/Wireless Security
Covered Entities should protect security-sensitive information while it is in transit over a network, such as office wireless networks or the Internet. Security threats addressed include:
- Eavesdropping – An unauthorized person “listens” in on an unprotected or open network carrying security-sensitive information.
- Data modification – Interception and surreptitious modification of security-sensitive information by an intruder in a way that the recipient cannot detect.
The Covered Entity should protect data while in transit commensurate with the transmission security risks and their associated mitigation costs.
7. Encryption
The Covered Entity should evaluate and decide whether to encrypt some or all of its security-sensitive information while it is at rest in storage or transmitted over networks. Considerations going into this decision include:
- The recipients’ ability to receive and decrypt an encrypted message.
- The sensitivity of the transmitted information.
- The potential impacts of unauthorized disclosure.
- The costs of implementing, managing, and operating the encryption system.
- The vulnerabilities of storage, the network, and overall environment.
D. Robust Policies, Procedures, Standards and Documentation
Covered Entities should maintain robust documentation relating to their security programs. Common types of documentation include:
- Policies – Management’s documented statement of intent.
- Standards – Policy-mandated technical measures the Covered Entity will use to solve specific problems. Standards often specify the appropriate use of technology.
- Guidelines – Suggested, usually strongly suggested, behavior recommendations that usually will be followed.
- Procedures – Documented methods for implementing mandated processes.
Policies are more general than other forms of documentation, while procedures are the most specific form of documentation. Standards and guidelines are in between. Documentation also includes security-related records, such as risk assessments, risk management decision-making, and records of investigations.
VII. Incident Response Steps: What Happens When There is a Breach?
Imagine for a moment that you believe your company may have experienced a data breach. In other words, your security company has detected or has been notified of some event. What do you do now?
First, take a deep breath. It is important to think clearly and not react instantly based on gut feelings and instinct.
Next, if you’ve done advance planning, you will have a breach response plan ready to go. It is a matter of executing the plan that you have already created. Initial steps include notification to your breach response team. Depending on the nature of the breach, team members include senior executives from the legal, IT, security, HR, marketing, and finance departments. Initial meetings can focus on the nature of the events, the initial take on what happened, understanding the severity of the incident, and identifying affected external parties or participants in the event.
Following initial meetings, the initial days of a breach response include an internal investigation to determine the facts and circumstances surrounding the apparent breach. What really happened? Information begins streaming in, and it may or may not show that a breach occurred. If it is clear that a breach occurred, it might not be clear how it happened, who was responsible, and whether it is still ongoing. The internal investigation phase is to find answers to all of these questions.
At the same time the internal investigation is starting, internal IT, security, and perhaps external forensic experts should be analyzing systems to determine the best course of action to prevent further exploitation of the breach, minimize the damage from the breach, determine the source and scope of the attack, leave open the possibility of a law enforcement investigation, detect and find evidence of the attacker, and preserve evidence needed for later legal proceedings, including both defensive and offensive actions. It may not be possible to meet all of these goals. Accordingly, the company may need to decide on the priority of these goals.
During this initial phase, the company should also consider notifying law enforcement. Collaborating with law enforcement has plusses and minuses beyond the scope of this paper. One important plus for involving law enforcement, however, is that fact that under many states’ breach notification laws, a company may delay in making required breach notifications if law enforcement believes that such delay is important for its investigation of the breach. Accordingly, working with law enforcement may buy the company some time when it comes to making decisions about the need for, or the timing of, breach notifications.
While the internal investigation is getting underway, the legal team can determine the legal posture of the company in light of the breach. The legal team should consider implementing a litigation hold and its scope, as well as taking steps to preserve evidence relevant to possible litigation. It should also start analyzing possible claims that parties could assert against the company, or possible claims that the company has against others, arising from the apparent breach.
Keep in mind that if investigations may show that the company had vulnerabilities, the company may want to have outside counsel hire the computer forensic experts investigating the breach. Hiring experts in this way makes them an extension of outside counsel. Communications between the company and such experts can be protected by the attorney-client privilege. Thus, when the company is discussing vulnerabilities and weaknesses in systems or other information that may tend to indicate liability, it can protect such discussions with the privilege.
Upon the completion of an initial internal investigation, the company should develop enough information to determine if a breach notification is necessary and if it is, whom the company should notify. Different jurisdictions have different triggers for notifications, and it is important to analyze their different laws to determine whether notification is needed. If notifications are required, then the company should determine the timing, and begin drafting the notices for review and approval by the team. Once approved, the company should send notices out as quickly as possible.
In preparing the notices, the company should account for requirements about the content of the notices. It should also take into account those jurisdictions requiring notification to the attorney general or other entities, in addition to the affected individuals. Finally, it should be aware of possible alternative means of notice under certain state laws, in case these means are the only way to inform some of the affected individuals.
Once an investigation is completed and law enforcement has wrapped up its investigation, the company can change systems, close vulnerabilities, and remediate problems uncovered by the investigation. The idea here is to prevent the attackers from making additional attacks or exploiting the current breach. In addition, these steps will hopefully prevent future breaches by others.
Following the remediation phase, the company can then “close the loop” and undertake steps to evaluate what happened and make changes to prevent future breaches. For instance, post-breach analysis is a good time to reconsider the controls in the company’s security program to make changes and upgrades to minimize the risk of future breaches. The company may wish to make changes in its security policies, its procedures, technical standards, training programs, supporting guidelines, or technology.
In addition, the company may want to undertake a new risk assessment to provide an updated view of the company’s security posture. A risk assessment is a fundamental tool to determine what risks exist, which risks to mitigate, which risks it makes sense to shift (e.g., through insurance or indemnities), and which risks to accept.
Upon completion of these steps, the company should implement changes to procedures, standards, training, guidelines, and technology based on the information developed in this phase. At the end of this process, the company will hopefully be in a better position to deter, detect, and prevent security breaches.
VIII. Secure Electronic Commerce Systems
How does a company conduct electronic commerce in a secure fashion? In creating secure ecommerce systems, a company may seek to take advantage of the Internet to open new markets and facilitate paperless transactions at Internet speed. At the same time, companies want to enter into enforceable transactions and impose limitations of liability, disclaimers, and other critical terms on their customers or vendors. How can a company set up an ecommerce system to meet all of these goals?
Your company may use technologies such as digital signatures, supported by digital certificates or their equivalent, to authenticate contracting parties, facilitate the encryption of transactional information to protect its confidentiality, and tie contracting parties to your terms of service or other agreements. Other technologies provide similar assurances of security, although perhaps not as effectively as digital signatures and digital certificates.
Establishing secure electronic commerce systems involves making use of security technology, supported by procedures and training, to facilitate online transactions. The systems of the company and vendors providing the technology or supporting services will need to implement many of the security controls discussed above. Implementing such controls will enable the company to create a credible secure ecommerce system, whose security can be demonstrated to customers, vendors, and other stakeholders through security audits, assessments, and related attestations.
IX. Conclusions
With the ever-increasing number of attacks from competitors, former employees, hacktivists, state actors, and organized crime, companies holding sensitive information face escalating challenges to secure their systems, comply with security laws, protect the value of their sensitive customer information and intellectual property, and minimize their liabilities. Data breaches pose considerable risks to companies. Nonetheless, companies have tools at their disposal to manage the risks of data breaches. Moreover, if they take the right steps, they can recover from data breaches and increase the security of their organizations.
To find out more about how your company can reduce the risks of data security breaches, or respond to an ongoing breach, please contact Stephen Wu, (408) 573-5737.