I was semi-impressed yesterday when I visited a global retail chain, signed up for a new credit card and they handed me back the application form for me to destroy.  Retail stores that manage payment card information must abide by strict rules governed by PCI — the Payment Card Industry standard developed to protect card information.

The form that I filled out had Personal Information (PI) and not payment card information, so therefore would not fall under the PCI purview.

I asked the retail clerk processing my information what would happened if I left the form behind – in an attempt to better understand the security process.  The retail clerk told me that they place remaining forms in the bin behind her and that a disposition company destroys everything in the bin.  They receive a certificate from the said company once the data is destroyed for proof.

Good start.  The company could have taken this protection process a step further by having a more secure bin with a cover and a lock instead of using a standard looking waste paper basket.  Still, one giant leap for better InfoSec Data Protection.

201 CMR is here to stay, at least until H.R. 2221 gets passed

How is your company doing so far with meeting the Massachusetts regulation for the protection for PI?  If you are outside the Commonwealth and do not store Mass. residence PI, are you doing anything to protect your state’s residents PI?

jay.martin@cppit.com – ITIL, CISM, ISMAS – www.cppit.com

I mentioned in my blog in late November that the cost to Health Net over loss of an unencrypted hard drive containing 450,000 patient records (revised down from 1.5m) would be much greater than the cost of securely controlling and protecting their information assets. Health Net will begin the process of emptying their wallets in an effort to build a defense against the lawsuit levied against them by Attorney General Richard Blumenthal.

The breach occurred in May of 2009 and was not reported until November. As discussed, Connecticut’s breach notification law are fairly strict and I would assume holding off reporting such an incident for 5+ months is over the top which could cause Blumenthal to make Health Net an example for all to see. To add fuel to the fire, the American Recovery and Reinvestment Act of 2009 (also known as the HITECH act) also imposes notification mandates that were apparently neglected. See my November blog post under security entitled “Health Net Breach — A Failure of People, Process & Technology” for more details.

jay.martin@cppit.com

CISM, ISMAS

www.cppit.com

The national Data Accountability and Trust Act, H.R. 2221 passed within the House of Representatives earlier this month (Dec. 8th, 2009).  The Bill — as with 201 CMR 17.00, the Massachusetts Protection for Personal Information — seeks to protect consumer personal information and requires notification to individuals in the event of a breach, albeit from a national level.  The bill is set to go before the Senate next and then the President.

H.R. 2221 would require “for profit” organizations to develop the necessary security policies and safeguards to protect U.S. Residence personal information within 1 year of passing.

More to come later…

jay.martin@cppit.com

CISM, ISMAS

www.cppit.com

The recent Health Net data breach of 1.5 million patient records due to a lost hard drive included unencrypted personal information such as names/addresses, medical records, Social Security numbers and other financial information.  A breach of this magnitude is shocking and what is more astounding is that the breach apparently occurred in May 2009 and was not reported to the Connecticut Attorney General’s office until this month (November, 2009).  The breach may be a gross negligence of HIPAA, FTC “Red Flag” Regulations, Connecticut’s Public Act 08-167, CGS 36a-701(b) and other state regulations/breach laws.  

I am sure that Health Net, like most companies, felt they developed the necessary controls to meet such regulations.  But a breakdown of this magnitude proves a failure of the company to institute “strong enough” information security policies, employee awareness programs and technology across the company to protect against this major corporate risk.   That is why we have been advising our clients to develop a risk-based information protection plan that estimates their potential loss against the cost of securely controlling and protecting their information assets.  The monetary penalties and consequences to Health Net for this breach will far outweigh the “should-have” preventative costs of deploying the right controls for this threat.  If the lost hard drive were encrypted, I wouldn’t even be writing this blog.

In his statement, Attorney General Richard Blumenthal stated that “I will vigorously and aggressively seek damages, penalties and other appropriate remedies, if warranted.”

This is not an option:  *Information security programs that include people, process, technology and partners must be vigorously managed and improved upon over time.*     Comments are welcome.

jay.martin@cppit.com

www.cppit.com

 A huge chink in the armor of end-to-end encryption took a big hit last week when the US-CERT reported that a man-in-the-middle exploit code against SSL and TLS is publicly available.   The exploit allows a malicious attacker to insert themselves into an SSL or TLS conversation during a client or server initiated renegotiation of their security context.  The vulnerability affects pretty much every site we securely connect with including our online banking sites, paypal, etc.  It also affects all operating systems and browsers.

Updates are not available to remediate the exploit, but there appears to be an Internet draft standard dated November 14, 2009 to fix TLS.  The RFC is here if you wish to review.  This means that the committee that wrote the new Internet draft was aware of the vulnerability and was secretly meeting to provide a fix prior to CERT releasing the news.

As you may know, SSL will not be updated as most of us are really using TLS in our browsers when we connect to secure web sites.  We still may call it SSL, but SSL is a fallback protocol to TLS.

I suspect a patch is on its way within the next few weeks, so make it a priority to update your systems through your normal patch update mechanism.

Important update.  The amended or revised 201 CMR 17.00 has softened the requirement for third-parties you do business with and that have access to personal data.  The original regulation slated for a May 1, 2009 compliance date stated that businesses would require “certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations”.

The revised regulation scheduled for January 2010 now states that businesses should ensure that third-parties are taking all reasonable security measures — at least as stringent as those provided in the 201 CMR 17.00 regulation — in protecting personal information.

Ensure?  How are you going to “ensure” that your third-parties are protecting themselves? 

Here’s what I recommend, and I suggest you follow my advice.  Send each of your third-parties (whether they do business in the Commonwealth or not) the 201 CMR 17.00 Audit Compliance Checklist that I provided a link for in my first blog on this very subject (see below).  Take the checklist and add a signature page and have your third-parties sign it.  If they don’t fully comply, have them put together a letter that outlines their security improvement plan with dates and have them sign that. 

If your third-party is not willing to go the extra mile, you’ll have not choice but to move on.  The eventual financial risks and public image drubbing may be too high.  Are you willing to chance it?

Let me know your thoughts.

201 CMR 17.00 — Massachusetts’ New Privacy Law Sets Strict Standards for the Protection of Personal Information

Most of the clients that we work with are just starting to breathe a little more easy having put the appopriate compliance measures in place to statisfy the last regulation that was mandated.  SOX, PCI, state-specific data privacy acts, HIPAA, GBLA.  The undertone to all of these regulations is confidentiality, availability, and integrity and includes minimizing the risk of exposing data that is personal and confidential and assuring that data is not compromised  maliciously or otherwise.  I suspect that the latest financial failures and alleged Ponzi scheme on Wall Street will lead to yet more stringent guidance on data risk reduction and another round of IT measures will be required. 

As the custodians of the data, IT can and should continue to get better at mitigating risk and safeguarding data.  But it is important to note that assuring data integrity, availability and confidentiality will not take the place of the personal integrity and transparency that cannot be enforced through technology.  What are your thoughts?

In the attached article I provide some sound advice in order for you organization to be better prepared for a disaster and for you to sleep more soundly at night.

Clear Desk Policy – Where Security and IT Service Continuity Meet – Part 1

Would your company be prepared if faced with a catastrophic event like the one below? This my true story…

In May 2008, while visiting one of my clients in Greeley, Colorado, their headquarters and primary computing site was struck by a massive tornado (click here to see the youtube clip of the actual tornado). I was in a conference room on the top floor of the building when we were abruptly interrupted and instructed to immediately head for the stairwell located in the center of the building wing. As I left the conference room, I viewed the outline of the tornado which appeared in the distance. Born and raised in the Boston area, the only Tornados I’ve witnessed are on T.V. or youtube, so I wasn’t too hard on myself when I was called from my trance-like state, “Jay, this way” (i.e. deer in headlights). Cramming into the stairwell, the next 20 to 30 minutes were nothing short of intense, if not down-right horrific as the building walls and stairs shook violently and sounded as if a large locomotive had hit the building. People were crying, shaking and wondering if they would ever see their loved ones again.

Then we felt it, a strange stream of cool air blowing down the stairwell. We’d later come to realize that the cool air was due to a section of the roof being blown off and settling some 300 feet away from the building. When the “all clear” sounded, we were instructed to return to the top floor, collect our belongings and evacuate the building due to a gas leak caused by the tornado. Windows were blown out and chairs, file cabinets and papers were strewn all over the office. Papers were not just contained within the building but thrown all over the parking lot and adjacent property owned by an insurance company that was also in the direct patch of the tornado.

I heard a story that during the 1992 London Bombings, sensitive and confidential financial documents were found miles away from the blast site. Seeing that this tornado picked automobiles up and tossed them 15 feet away, I wondered how far my client’s paper trail would go.

A Clear Desk Policy dictates that all personnel clear their desks and file documents appropriately based on their Information Sensitivity Policy. The Clear Desk Policy is typically written for a companies security program, but concerns about critical documents not having a copy (digital equivalent or otherwise) should be a concern for business continuity as well.

So, would your company be prepared? Do you have a clear desk policy? If so, does it only mandate that documents be cleared at the end of the day?

In my next blog, I’ll give you some practical ways to insure that your documents don’t end up in China (unless of course you are reading this from China).

Posted by: Jay Martin

Compliance Process Partners — www.cppit.com

jay.martin@cppit.com