The California Attorney General (Kamala Harris) released a Data Breach Report early in 2016 (Available Here) which details the scope and breadth of data breaches over the past four (4) years and provides guidance to a wide range of businesses explaining processes for securing data based upon the criticality of data handled by the business keyed to national standards. Businesses can use these processes and securitization protocols as a defense to third party and governmental allegations of data security negligence. Lately, the Federal Trade Commission (FTC) has been aggressively pursuing companies that do not handle data properly. See Federal Trade Commission v. Amazon.com, Inc., C134-1038-JCC (W.D. Wash. Apr. 26, 2016)(although court denied the FTC’s request for an injunction, the Agency did assert that Amazon failed to maintain reasonable and appropriate data security practices). The California Breach Report provides guidelines for security compliance.
Breach Types: Breaches can be categorized by type: (1) Malware and hacking breaches caused by intentional intrusions into computer systems by unauthorized outsiders. (2) Physical breaches resulting from theft or loss of unencrypted data stored on laptops, desktop computers, hard drives, USB drives, data tapes or paper documents. (3) Error breaches which stem from anything insiders (employees or service providers) unintentionally do or leave undone that exposes personal information to unauthorized individuals. (4) Misuse breaches the result of trusted insiders intentionally using privileges in unauthorized ways. Graphically:
Number of Data Breaches 20012 – 2015 (according to the report and as shown below)
Data Types: Although the data breach laws vary State by State as do the definitions of what is “protected data,” the California Breach Report describes certain critical data types: (i) name, plus Social Security number, driver’s license number, financial account number (such as bank account numbers and payment card numbers), (ii) medical information, or health insurance information; and (iii) credentials for online accounts (user ID or email address, plus password or security question and answer).
SSN: “Social Security numbers are among the most sensitive data types, because their abuse is the most difficult type of fraud for consumers to detect, protect against, and recover from. When a single credit or debit card account number is stolen, the victim can discover it in the next bill (if not earlier) and can stop the fraud by closing the account. It is a different story for stolen Social Security numbers. In the hands of identity thieves, Social Security numbers, and to a lesser extent driver’s license numbers, can be used for a variety of purposes. They enable thieves to open new credit accounts, take out loans, apply for and receive government benefits, among other things – all in the victim’s name. They can also be used for other fraudulent purposes, including taking over existing bank accounts and getting health care or government benefits. Criminals have provided stolen Social Security numbers when arrested, resulting in the creation of fraudulent criminal records in the victim’s name. Such uses can take months or sometimes years to detect. Even when detected, undoing the damage can be very challenging because it is almost never possible to change your Social Security number. So while the identified fraud may be repaired, the stolen number remains useful to criminals, who can revictimize individuals repeatedly for years. Social Security numbers continue to figure significantly in data breaches, and were involved in nearly half (48 percent) of all breaches and in 47 percent of records breached.”
“Payment card data was the next mostly likely data type to be breached, and was involved in 39 percent of all breaches. Medical or health insurance information, which most individuals regard as very sensitive, comprised a larger share of records breached, 36 percent compared to 32 percent for payment data.”
“Driver’s license numbers figured in 11 percent of breaches and 17 percent of records breached. Online account credentials, a data type that was added to the breach law in 2014, were involved in nine percent of breaches. The higher incidence of this data type in records breached, 24 percent, is largely attributable to the big LivingSocial breach in 2013 and the PNI Digital (Costco, RiteAid, CVS) breach in 2015.”
Notification requirements vary State to State. In California, companies must offer identify theft services to victims in certain breaches. As for timing, the average time to notification was 40 days, typically by mail.
Recommendations for Reasonable Security: Establish a Standard of Care for Personal Information (Person Identifying Information or PII)? Best Advice: Limit PII and personal information collected and retained by the organization. If an organization does not have data, the data cannot be breached. This is the strongest protection. As breaches continue, the hacker tools increase in sophistication and stakes increase, organizations must be vigilant and proactive to ensure more effective protection of PII.
Basic Privacy Practices: Limit PII collected and retained. Good privacy practices are reliant on a foundation of good security. An organization cannot protect people’s privacy without being able to secure their information from unauthorized access.
Security is Challenging: Securing information in the online world is very challenging. The adversaries are sophisticated. External Hackers: Large criminal enterprises, including transnational organizations and even nation-states, are engaged in attacking our information assets and stealing data.
Internal Hackers and Errors: The internal challenges are both technological and human. As organizational information assets and data become widely distributed, physically and per digital storage (such as cloud storage and processing and BYOD – Bring Your Own Device to work (hand-held phones and tablets for employees and vendors), exposure is exacerbated. Organizations amass huge quantities of information and retaining it for possible future use. Employees and vendors are sometimes careless in handling PII. Intentionally stealing information is oftentimes an opportunistic event.
Security is a Responsibility: There is no perfect security, hence organizations have a responsibility to protect PII. Organizations have both an ethical and a legal obligation to protect PII from unauthorized access. Neglecting to secure systems and data opens a gateway for attackers. A Report by Verizon indicates that 99.9 percent of exploited vulnerabilities were compromised more than a year after data security controls for such vulnerability were publicly available. If an organization chooses to amass PII data but fails to uphold its security responsibilities, they may be culpable.
In California, the Information Security Statute (California Civil Code§ 1798.81.5) requires a business that collects PII to use “reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction use, modification, or disclosure.” Federal laws and regulations include the Gramm Leach Bliley Act (GLBA)(financial services), Health Insurance Portability and Accountability Act (HIPM)(health care); the Federal Information Security Management Act (FISMA)(federal agencies); and the Federal Trade Commission (Start with Security: A Guide for Business).
Security is a Process: Information security laws generally require a risk management approach. Organizations must develop, implement, monitor, and regularly update a comprehensive information security program. Risk management generally includes the same basic steps, starting with assigning responsibility for information security within the organization and follow-on actions.
“(1) Identify information assets and data to be secured; (2) Assess risks to the assets and data; (3) Implement technical, administrative, and physical controls to address identified risks; and (4) Monitor effectiveness of controls and update as risks, business practices, and controls evolve.”
Security is Based on Standards: Risk management process only achieves reasonable security if the risks are identified and effective controls implemented. “Security standards define the scope of security controls, the criteria for evaluating their effectiveness, the techniques for ongoing assessment and monitoring, and the procedures for dealing with security failures.” Standards are updated periodically and are aligned on a basic security process and defensive controls.
“RECOMMENDATION : The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security. Formerly known as the SANS Top 20, the Controls are now managed by the Center for Internet Security (CIS), a non-profit organization that promotes cybersecurity readiness and response by identifying, developing, and validating best practices.”
“Each [CIS] Control is presented with an explanation of why it is critical, followed by specific actions (sub-controls), and by procedures and tools for implementing it. A set of tools for implementing the first five controls, which are the first steps to take, has been developed specifically for small organizations.”
The is a summary of the CIS Controls, grouped by action. A complete list of CIS Controls is found in the Breach Report, Appendix A.
“(1) Count Connections: Know the hardware and software connected to your network; (2) Configure Securely: Implement key security settings; (3) Control Users: Limit user and administrator privileges; (4) Update Continuously: Continuously assess vulnerabilities and patch holes to stay current; (5) Protect Key Assets: Secure critical assets and attack vectors; (6) Implement Defenses: Defend against malware and boundary intrusions; (7) Block Access: Block vulnerable access points; (8) Train Staff: Provide security training to employees and vendors with access; (9) Monitor Activity: Monitor accounts and network audit logs; (10) Test and Plan Response: Conduct tests of your defenses and be prepared to respond promptly and effectively to security incidents.”