Townsend Security Data Privacy Blog

Draft versions of a Federal data privacy and breach notification law have been in existence for over a year. The House of Representatives passed a version some months ago, and two versions have been working their way through the US Senate. This week saw a significant advance in the US Senate as the judiciary committee under Senator Patrick Leahy’s leadership passed a version out of committee with a vote along party lines. I think Senate Bill 1151 represents a significant step forward towards a federal law that will replace all of the approximately 45 state laws on breach notification. The law still has to be reconciled with the House version, and a lot can change in the process, but there is general agreement in the business community that one Federal law is preferable to a lot of different state laws. So I think there is a good chance that a Federal privacy law can pass.

Here is a recap of some of the features of the new law that will affect your business:

• You will need to have a written security policy.
• You will need to perform periodic vulnerability assessments.
• You will need to protect data using industry standard practices such as encryption.
• The legal penalties include fines and imprisonment.
• If you share sensitive data with service providers, you must ensure that they protect the data.
• You are responsible for notifying people affected by the data loss.
• There is an expanded definition of “Sensitive Personally Identifiable Information”.
• You will need to maintain audit trails of who accessed sensitive information.

In many ways, the new federal law goes further than most state laws in defining what companies must do to protect sensitive data. The law tries to strike a balance between prescriptive measures, and the evolving nature of threats. In many respects the law comes close to adopting many of the principles of the Payment Card Industry Data Security Standards (PCI DSS), and companies who meet PCI DSS standards will find a lot that is familiar in the law.

The definition of Personally Identifiable Information (PII) has expanded pretty dramatically and now includes telephone numbers and mobile device IDs, email addresses, and other information. I will talk about this a bit more in future blogs. I think there are some substantial procedural and technology issues in this area that will affect your approach to protecting data.

As I expected, the Federal law makes reference to industry standards for encryption and key management, and points directly to existing laws such as Gramm-Leach-Bliley (GLBA), the Health Insurance Accountability and Portability Act (HIPAA), and others. The Federal Trade Commission is charged with developing guidelines in this area. I think there is a well-worn template for this type of work that will point directly to the NIST standards and best practices. I believe that companies would do well to be sure that their data protection strategies line up with NIST standards.  FIPS-140-2 certification is already required of some private enterprises, and this is probably the direction we are going.

Be sure to follow us on Facebook, Twitter, and LinkedIn to stay up to date on the latest technology and news about data protection.

Welcome to our final installment in the "Data Privacy for the Non-Technical Person" series.  In case you missed the other two blogs in this series, here are the links to part one and part two.  This third and final blog will cover data privacy compliance regulations and how an organization would begin to develop a security policy.

We hope that these blogs have been informative and answered questions that you might have had about data privacy.  If you still have questions, please feel free to send us an email.  Additionally, download our podcast "Data Privacy for the Non-Technical Person" to hear my conversation with Patrick Townsend, Founder & CTO, in its entirety.

Are there are any laws or regulations requiring businesses to protect their sensitive data?

Yes.  There are quite a number of laws, and they cross over each other too.  Many find themselves having to work with several regulations when protecting data.  If you take credit cards, you fall under the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a private regulation promoted by the card brands (Visa, MasterCard, etc.).  If you are a bank or engaged in the banking industry you fall under the Gramm-Leach-Bliley Act (GLBA) and FFIEC regulations for protecting information.  Those are specific to the banking industry.  If you go to the doctor or are a doctor/medical clinic or any place in the medical industry, you fall under the HIPAA/HITECH Act to protect patient’s medical information.  There are also other regulations too.  The government is moving laws through congress to define protections for PII.  So there are a number of regulations affecting data that needs to be protected.

So how would an organization begin to develop a security policy?

This is a real challenge, particularly if you are starting for the first time.  It can seem overwhelming, especially when we read about the sophistication of data breaches and the attacks on companies.  Keep it simple to start – there are things that you can do to that are very effective upfront and know that you are vulnerable.  I think one think that sometimes inhibits people from taking action is thinking that they are not going to be subject to a data breach.  That is a dangerous attitude.  So, keeping it simple, taking simple steps, ranking where the vulnerabilities are and doing those things first are really important things.  There are really the obvious things like making sure you have good anti-virus software running on your computers and using good, strong passwords.  If you have a web site, there are scanning tools that will help you scan to see if your web site is secure.  And if your business is handling sensitive data, run background checks as part of your new employment procedures.  Finally, there is some online help that can be really useful for most people – sans.org is a place where you can go to get basic policy information and educated on threats.  For business that need to secure data, we have a lot of resources on our website to help you understand the various regulations and what encryption and key management tools you can use to begin protecting your data.

Download our podcast “Data Privacy for the Non-Technical Person” to hear more of this conversation.

This week brings part two of the "Data Privacy for the Non-Technical Person" series.  Last week we determined what constitutes personal information that needs to be protected.  This week Patrick Townsend, Founder & CTO, talks about how organizations are protecting sensitive information, how encryption and key management relate to each other, and what happens when encryption is not done correctly.  If you are jumping in mid-stream, you can read part one here.  Additionally, you can download our podcast titled "Data Privacy for the Non-Technical Person" to hear our conversation in its entirety.

How do organizations protect sensitive information?

They use a number of techniques.  Some of them are pretty obvious.  Businesses use anti-virus software and software to detect intrusions on their network, as well as making sure they have a secure web site if they are taking sensitive information from you over the internet.  And then they do some things that most people might not be aware of.  A business that is trying to protect your personal information will do some things that are procedural in nature – for example a lot of companies will now make sure all new employees have a background check.

Companies are also doing things that help make their data very difficult to steal.  Encryption, which is the process of taking a credit card or social security number and turning it into and encrypted value, makes stealing data near impossible.

Companies who are really trying hard to protect information of their customers and employees are deploying a variety of tools.  Encryption is probably one of the more important ones and it is one of the more difficult technologies to deploy, but certainly all of the major companies that you might do business with over the Internet will be using encryption to protect your data.

Encryption and key management have been talked about a lot lately.  How do they relate to each other?

Encryption and key management go together.  They are very complimentary technologies.  When you encrypt a credit card number, you have an encryption algorithm that takes your credit card number and turns it into something totally different.  But another important input into that process is a secret key.  Many people think that the encryption algorithm itself is some kind of secret mechanism, which isn’t the case.  Encryption is well understood.  There are standards for it and it is readily available.  What is really the secret that prevents losing data is the encryption key – just like the key to your front door is what protects your house.  An encryption key works very much in the same way.  Companies that use encryption really have to create a key that is very unique and very strong, and they have to protect it so that it doesn’t escape into the wild. Anyone that has the encrypted data and the encryption key, really can get the sensitive data back.  In the real world of protecting data with encryption, measures are taken to protect the encryption key – that is the real secret that people are trying to protect in a business environment. 

What happens when encryption is not done correctly?

There are many ways that encryption can be done poorly or incorrectly.  We see that sometimes around the area of encryption key management.  For example, storing an encryption key on the same platform where the data that it is protecting is just bad practice.  Sometimes you hear the term “integrated key management” or people say “we are storing the encryption key in a database file and we have locked that database file down.”  These are really poor practices and, in fact, cannot meet compliance regulations about encryption key management.  So, that is just one example of encryption that is done badly.

Other examples are just using non-standard or proprietary encryption.  The CUSP mode of AES encryption, for example, is not a standard mode and is a proprietary protocol that can’t be a part of true compliance.  It is just another example of running off the rails in terms of best practice for encryption.  A company that is purchasing encryption technologies should really examine their vendors carefully.  I always point back to NIST certification because it is the bottom-line indication you have that the encryption product is a good quality solution. 

Here is another interesting thing that I think people sometimes forget.  If you have a data loss, it is going to be your problem, not the vendors problem.  Even though you may have acquired a solution that is not right, it is still going to fall on you.  It is going to be your headache to solve, your customers that are upset, and your financial loss when data gets out.  The loss of trust from your customers and employees is also difficult too.  For all these reasons, I think paying attention to encryption technologies is a good idea.

Stay tuned for our next and final installment in this series.  Download our podcast “Data Privacy for the Non-Technical Person” to hear more of this conversation.

As I attend industry events, it is surprising how many times we hear questions like “what constitutes personal information that needs to be protected?”  I recently sat down with Patrick Townsend, our Founder and CTO to discuss data privacy for the non-technical person. 

When speaking about data privacy, the conversation often turns technical with common questions like “How do we implement encryption and encryption key management?”  This time, we intentionally kept our conversation focused on data privacy topics that can be understood from a high-level. 

I have created a series of blog posts from this conversation that will be posted in the next couple weeks.  Hopefully this blog series will answer any questions that you might have.  If you still have questions, feel free to send us an email.

What constitutes personal information that needs to be protected?

The first thing that everyone thinks of are credit cards numbers.  We know that we don’t want our credit card numbers escaping into the wild and having to go through the process of replacing them.  I think that by now, most people have experienced getting a call from their bank, being alerted to potential fraud, and going through the process of having to replace a card.  So credit card numbers are obviously personal information that people need to protect.

There are also other things that I think are important – financial bank account numbers.  We are all doing a little bit more now in terms of online banking.  Those bank account numbers carry value and we need to be very careful about that.  There are also some other items that tend to be used to commit financial fraud, such as social security numbers, driver’s license numbers, birthdate, etc.  In fact, information like your passport number, military ID, or health ID – all of those are examples of information that you should try and protect and make sure you are not sending them around or leaving them in places that can be easily picked up.

Other things like maiden name or previous addresses are also important.  Think about the types of questions your bank asks you when you give them a call.  They are using that information to identify you and the fraudsters will use that information to impersonate you.  These are all examples of sensitive information that we should be protecting.  For people who are interested, the technical term for this type if information is Personally Identifiable Information or PII.

Stay tuned for our next installment in this series.  Download our podcast “Data Privacy for the Non-Technical Person” to hear more of this conversation.

As you probably know “Phishing” is the security term used for email that looks perfectly valid, but which contains links or attachments that can infect your PC. Really good phishing email looks like it came from someone you know, or from a business that you work with and trust. A well-crafted Phishing scheme lowers your defenses. You say to yourself, “I’m glad John got back to me on that financial plan.” Or, “I wonder why Wal-Mart is having trouble with my invoice.” And a click or two later and you’ve fallen victim to a phishing attack.

Sometimes you know right away when you’ve fallen victim. Your PC goes bonkers or acts oddly and perhaps disturbing messages appear. However, the worst infections can go undetected for a long time. The malware may be snooping for your on-line banking account password, or trying to steal other valuable information. These are probably the worst types of malware infections as you don’t know you are infected.

Small and mid-sized businesses are now under increasing attack from this type of security threat. Organized criminals are looking at these companies as more vulnerable and easier targets. They may have smaller bank accounts, but it may be easier to drain them. So don’t think being a small company will not make you a target.

Here are some thoughts on simple things you can do:

• Be sure all of your PCs and Macs are running the latest anti-virus protection software. Nothing should be connected to your network that does not have the best possible protection.
• Be sure you use strong and unique passwords for financial accounts. We human animals like to minimize the number of complicated things we have to remember. If you use the same password for Facebook and your company bank account, you are in a lot of danger.
• If you are a small company, consider dedicating a small laptop to do your on-line banking. You could load Linux (Ubuntu is my favorite) and a web browser like Firefox, and only use the laptop for that one function.
• Use two-factor authentication for all of your high value transactions. The better banks will help you implement this, and it is one thing that can be helpful.
• Be sure to remind your colleagues on a regular basis to be careful. Being alert is one of the strongest deterents.

One of the biggest mistakes you can make is to feel you are immune from this type of attack. Those of us who work in IT or in the security area begin to think we are bullet-proof. Not so! I found myself shocked recently after clicking on a Facebook posting that looked like it came from my daughter, and watching Microsoft Security Essentials quarantine a nasty virus. My shields were down and I suffered an attack. But this is the characteristic of a really good phishing attack. You relax into a state of trust right at the wrong time.

Now, where’s that email from my new business partner in Nigeria?

For more data privacy news and tips, follow us on Facebook, Twitter, and LinkedIn.

As companies work to meet regulatory requirements to protect Personally Identifiable Information (PII), one option to minimize the risk of loss is to replace sensitive data with a non-sensitive replacement value, or “token.” 

Tokenization is the process of replacing sensitive information, such as a credit card or social security number, with a non-sensitive replacement value. The original value may be stored locally in a protected data warehouse, stored at a remote service provider, or not stored at all.  The goal of tokenization is to reduce or eliminate the risk of loss of sensitive data, and to avoid the expensive process of notification, loss re-imbursement, and legal action.

There are three primary approaches to tokenization:
    •  Tokens are recoverable and stored by external
       service providers
    •  Tokens are recoverable and stored locally
    •  Tokens are not recoverable

The first method of tokenization uses external storage of recoverable tokens and is implemented by a small number of credit card authorization networks.

The second approach to tokenization involves the creation and storage of the token on local IT servers. The token is protected by encryption and can be recovered by decryption when it is needed.

The third type of tokenization involves the creation of a token on local IT servers, but does not allow for the recovery of the original value.

If you do not need to store sensitive data in your database systems, tokenization can greatly reduce your risk of data loss. The original sensitive data can still be used to query a database or locate information in a business application. But by not storing the sensitive data, you will not be at risk of losing it.

It is important to note that if you use recoverable tokens you will still have the risk of data loss and will not be protected from any liability for a loss. You will also still be subject to all of the regulations  for protecting sensitive information.

Tokenization can be a powerful way to minimize risk in your development, QA, and UAT environments. When moving data to these environments you should always eliminate sensitive data to prevent its loss. Tokenization is an excellent way to do this.

Lastly, if you are a payment systems vendor you may wish to provide tokenization as a value added service to your merchant customers. Not only will you be helping them minimize their exposure to data loss, this can also be marketed as a competitive advantage for your business.

If you would like to learn more about tokenization, we recently presented a webinar titled "Tokenization & Compliance: 5 Ways to Reduce Costs and Increase Security."