AlertBoot Endpoint Security : secure digital assets

Data Encryption Software: South Shore Hospital Update

sang_lee — Thu, 09 Sep 2010 00:43:00 GMT

A couple of months back, South Shore Hospital had announced the breach of patient information for 800,000 people. At the time, I had wondered whether data encryption like AlertBoot had been used to protect the data. Seeing how it involved close to a million people, the use of encryption software would have been advisable.

Data Breach: Little to No Risk

Today, South Shore has reported to the Massachusetts AG's Office that there is "little to no risk that information on the files has been or could be acquired, accessed or misused," per the Boston Herald.

If you'll recall, three boxes of tapes were sent away for destruction via a commercial courier. When South Shore did not receive certificates of destruction, it pressed its contractors for an answer. Eventually, word got back to the hospital that only one box arrived at the data destruction facility, which was destroyed.

Since then, an investigation into the two boxes has revealed that the contents of the two boxes probably ended up in a landfill, and that there was no reason for anyone to steal the boxes for the data within them since they were unmarked. More specifically,

All available evidence indicates that the three boxes of computer tapes were likely separated from each other during transport. Once separated [Ed. - the three boxes were placed together on a shipping pallet], two of the three boxes were unidentifiable because they were unmarked and appeared to be of no value. As a result, those two boxes of computer tapes are believed to have been disposed of in a secure commercial landfill that [the carriers] uses to dispose of unclaimed materials and are therefore unrecoverable. [bostonherald.com]

Outside data forensic experts have concluded that it would nearly impossible for someone to access the information on the backup tapes.

In all, all signs point towards the risk of breach being minimal. Not only will a potential data thief need some advanced skills to read the information on the tapes, he or she'd also need the not-so-advanced skills of digging and shoveling (and the clairvoyance to know where the tapes are currently buried).

What About the Next Time?

Unfortunately, this is not a case of "all's well that ends well." After all, just because South Shore had its breach doesn't mean it couldn't have another one tomorrow. It continually needs to make sure that its data security policies reflect the realities of the potential threats they are facing. In fact, one might say it's more of case of "whew, we got lucky this time!"

South Shore will have to assess whether the use of backup tape encryption is warranted as well as other security measures, including physical ones (perhaps better tape so boxes on their pallets don't come apart?)

Data Breach Costs: Standard Breach Notification Bylines Deceptive Acts Or Practices?

sang_lee — Tue, 07 Sep 2010 22:26:00 GMT

Data Protection Involves More Than Digital Tools Like Disk Encryption Software

A couple of months back, I observed that a pretty-standard clause used by Rite Aid Pharmacies had caused them trouble with the FTC. Actually, it's unfair to say that, since Rite Aid erred to begin with: employees dumped sensitive documents, knowing fully (or, at least, they should have known) that proper data security ought to have been practiced, such as using a shredder.

The FTC pretty much called Rite Aid on the practice:

Rite Aid made claims such as, "Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy." The FTC alleged that the claim was deceptive and that Rite Aid's security practices were unfair.[My emphasis]

Today, I was doing some reading and found out that the above was not the first time the FTC took to task a company for claiming that they had good data security practices.

ChoicePoint: Deceptive Acts or Practices in or Affecting Commerce in Violation of Section 5(a) of the Federal Trade Commission Act

If you read this complaint by the FTC, on page 11 (paragraphs 31 and 32), the FTC notes that ChoicePoint "has not implemented reasonable and appropriate measures under the circumstances to maintain and protect the confidentiality and security of consumers' personal information," which contrasts with ChoicePoint's public claims (documented in paragraphs 27 through 29, inclusive, of the complaint).

This all relates, of course, to ChoicePoint's 2005 data breach, where information on 145,000 was sold to identity thieves who set up shell companies and provided forged documents to "buy" (or, if you prefer, steal) data. It was the data breach that pretty much prompted other states to sit up and take notice, and possibly to adopt their own data breach notification laws.

In ChoicePoint's case, the inclusion of the "deceptive acts" feels as, if not an afterthought, at least as a trifling issue to the major problem of identity thieves successfully poaching information for over 145,000 people.

In the Rite Aid case, the "deception" feels more prominent in the FTC's case against the pharma chain.

Now that I've found two of them, I'm pretty sure there must be other cases where the FTC has brought suit against companies that claimed to protect confidential data.

While I'm not a lawyer, I guess this just means you really have to pay attention to what you're promising or implying. I mean, "Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously" is considered to be deceptive practice because actions didn't match up with words?

That claim, about taking its responsibilities seriously, is a fairly standard byline in pretty much all data breach notification letters I've read to date. More importantly, a significant number of breaches I have read involve situations where I'd seriously consider whether the company, just like ChoicePoint and Rite Aid, took data security seriously: instances where a laptop is lost because of a break-in to a car, lost at the airport, etc.

In a tiny number of those situations, the computers were protected with laptop encryption like AlertBoot or similar data protection tools. In the bulk of the cases, there was no data security.

Perhaps it's too much to ask, or too much to expect, the FTC go after such companies. Unless it involves a "Fortune 500 company" and the situation is covered in nationwide media.

Related Articles and Sites:
http://www.ftc.gov/os/caselist/choicepoint/0523069complaint.pdf

Full Disk Encryption: University of Rochester Medical Center Notifies 837 Of Lost Flash Drive

sang_lee — Fri, 03 Sep 2010 23:17:00 GMT

University of Rochester Medical Center (URMC) has notified 837 people that their medical information may have been compromised when a USB memory stick went missing. Disk encryption software was not used to secure the contents of the flash drive.

Not All Affected

The USB disk belonged to a surgeon who used it to save information for patients that needed follow-up care. The only reason 837 patients are being notified is because the physician is uncertain whose files were in the missing USB disk. The 800-odd patients represent current and former patients the doctor has seen over the past 3 years.

The lost information includes names, dates of birth, and diagnoses and other medical information, but does not include SSNs or addresses. Overall, not as bad as medical data breaches go.

This case is one where everyone is being notified because the list cannot be pared down. One imagines the list could be pared down--say, to only the patients that he's seen in the last year--but there is no guarantee that he deleted any files after a patient successfully recovered. And who's to say how long it takes for patients to recover? If it takes them more than a year of follow up after surgery...well, my proposed "one year cutline" would be inadequate.

USB Disk Encryption Ought to Have Been Used

There's a lot of talk about the "cloud-this" and the "centralized-medical-database-that" and lots of forward-thinking technologies (and their negative effects) but sometimes it's the old stuff that one has to focus on. In fact, some might say that most of the time it's the old stuff that one has to focus on.

Why? Because it's the old stuff that's being used by people. Of course, USB flash drives, as commercial products, are anything but old. I got my first one about 5 years ago, when they were still considered "hot products." Still using the same one, in fact.

It's not protected with whole disk data encryption, which may raise some eyebrows along some circles. I mean, look who I work for.

On the other hand, unlike the good doctor above, I never carry personal information on it. And, if I do find myself needing to save a sensitive file to it, I actually use a self-contained file encryption program from Sophos. Why? Well, it works. And it's free.

Now, if I was in the habit of constantly saving sensitive data to my 5-year old USB drive, I would use a disk encryption program like AlertBoot on it, which is what our surgeon should have been doing.

URMC has announced that they'd start encrypting all laptops and USB flash drives in order to prevent similar future breaches. I don't know why they've waited so long.

Connecticut Personal Information Data Privacy Notification And Encryption Laws: Sec. 36a-701b

sang_lee — Thu, 02 Sep 2010 03:58:00 GMT

Connecticut currently has a data breach notification law on its books. Like many states, the use of encryption tools, such as full disk encryption for laptop data protection, provides safe harbor from sending out notification letters in the event of a data breach.

I just had to take a look into it after yesterday's post on Connecticut's insurance data breach notification directive.

The state's notification law is surprisingly short.

Data Encryption Provides Safe Harbor From Breach Notification

Connecticut is one of those states that does not twist language and logic in order to essentially say, "if you used encryption to protect data, you're golden." Many state laws provide safe harbor by defining personal information as "unencrypted personal information." Then, they mandate notification letters in the event of a data breach of personal information.

Since encrypted personal information is by definition not personal information (see how convoluted that is?), the breach of encrypted personal information does not require breach notifications. No such non-sense with Connecticut. Here's their definition of a breach:

For purposes of this section, "breach of security" means unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [Sec. 36a-701b(a)]

Oh, my! How stupendously direct and clear that is! Honestly, I've got to congratulate the Connecticut legislature for making things so easy to comprehend.

I mean, certainly there are loopholes (would password-protection be considered a method that "renders the personal information unreadable or unusable?" I would not). However, you don't have jump and hop over different sections to figure out what's going on.

Note how the breach is relegated to computerized data only. This is something of an antiquated definition of a data breach. Notification ought to be extended to paper records as well, just like the CT Insurance Commissioner mandated to its registered entities.

In fact, many states are updating data breach notification laws to include information breaches of paper documents.

What Is Considered A Personal Information Security Breach In Connecticut?

According to the law "personal information" is the first name (or initial) and last name combined with:

Social security number

Driver's license or state ID information

Financial information, such as account numbers, credit card numbers, etc.

Nothing surprising here.

What Needs to Be Included In The Customer Notification Letter?

There are no specifics on what needs to be included in notification letters, although this is not uncommon. Many states do not specify content requirements, although those that do generally tend to include the following:

The incident in general terms;

The type of personal information that was subject to the unauthorized access and acquisition;

The general acts of the individual or entity to protect the personal information from further unauthorized access;

A telephone number that the person may call for further information and assistance, if one exists; and

Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

There are exceptions to sending notification letters if the cost of doing so involves or exceeds 500,000 people or $250,000, respectively. In that case, substitute notices can be sent out as long as all of the following are adhered to:

E-mail is sent out, for affected persons whose electronic addresses are on file

Conspicuous posting on the breached entity's website

Notification to state-wide media

Penalties

No specific penalties are listed for not complying with CT's breach notification legislation. However,

Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General. [Sec. 36a-701b(g)]

I would suggest the use of AlertBoot endpoint encryption vs. having to deal with all of the above if and when things go awry. I mean, why not take advantage of a safety net (in the form of encrypted data) if you're being afforded one?

Related Articles and Sites:
http://www.cga.ct.gov/2009/pub/chap669.htm#Sec36a-701b.htm

Encryption For E-Mail: Electronic Mail Is Leading Cause For Enterprise Data Loss

sang_lee — Mon, 30 Aug 2010 22:30:00 GMT

Informationweek.com points out that electronic mail is still the leading cause of data breaches at companies, despite its use being "on the wane" due to inroads by new social media. The same technology--such as laptop encryption software from AlertBoot--that guards data stored on computers can also be applied successfully to protect outgoing e-mails.

Some Stats

According to informamtionweek.com:

35% of large enterprises launched investigations into data leaks via e-mail in 2009

72% are worried about personal and financial information breaches via outbound e-mail

71% are also concerned about ex-workers e-mailing trade secrets and other corporate secrets via e-mail

48% performs audits of outbound e-mail

37% have employees monitoring the contents of outbound e-mail (33% have people whose jobs are exclusively reading and analyzing such e-mail)

Readers will readily note that some of the practices listed above are not exactly preventative, nor do they come close to being preventative. For example, audits of outbound e-mail, while necessary in order to get a grip on whether current security is adequate, cannot do much to secure information that has already been sent out to an outside party. Even if the audit were to catch it relatively quickly, there's no way to prevent the receiving party from reading it.

Another example is a situation where an e-mail is sent with an attachment that contains sensitive information. The correct person received it; however, the e-mail should have been encrypted due to the sensitive nature of the attachment. An auditor runs across the situation, but if the company does business in Sin City, it's already afoul of Nevada's data breach law, which was amended one year later: e-mails that contain personal information, such as SSNs, must be encrypted.

Email Encryption, Automated

Human monitoring and auditing is needed, and this fact won't change for the foreseeable future. However, a company can make inroads into securing their e-mails.

DLP (Data Loss Prevention) solutions exist out there that will actively encrypt any e-mails that contain sensitive information, or prevent them from leaving a company's servers. It works based on filters that are set to recognize key words and number patterns. For example, a mortgage company might want to prevent any unencrypted e-mails with numbers in the xxx-xx-xxxx pattern being sent: these are probably Social Security numbers.

Likewise, a filter would be set up for Social Security, SSN, SSNs, and other key words that indicate such a number is contained within e-mails.

Combining the above with disk encryption software will ensure a broader degree of company data security. Of course, it will never be total security, which is why you also need access control (via physical locks and authorization levels), employee training in good data security practices, monitoring and auditing, etc.

However, it will go a long way in terms of reducing your company data risk profile.

Drive Encryption Software Or Laptop Insurance For Protection?

sang_lee — Fri, 27 Aug 2010 23:24:00 GMT

A UK company called Protect your bubble is offering laptop insurance for £3.99 a month (about US$6.00). While such protection products are to be welcomed, one must remember that we're talking about asset protection, not data protection, which is only possible via tools like hard disk encryption such as AlertBoot.

It's a Good Idea to Get It Insured--Just In Case. Really?

Protect your bubble states the following:

When your laptop has so many precious items on it, like all your photos, bookmarks and documents, it’s a good idea to get it insured – just in case. Plus the cost of replacing your laptop is another important reason to make sure you’re covered.

I couldn't agree--and disagree--more. Certainly, a laptop computer can be a tremendous investment, and one may want to consider insuring it. After all, these devices probably have a higher theft rate than cars, and pretty much everyone has auto theft insurance for the latter in one form or another (although, you really should check if you actually do).

Of course, vehicles tend to be much more expensive than laptops; but, the price of insurance is relative to the asset being protected. Let me pose this question, though: how is insurance going to bring back your photos, bookmarks, and documents? It's not.

"Risk" is a Catchall Word

When dealing with risk involving laptops, you have to pay attention to what you mean. Risk is a catchall term. If you want to get down to the nitty-gritty, you'd see that there are many different kinds of risks when dealing with a lost or stolen laptop computer.

Asset risk

Data breach risk

Data loss risk

Lost opportunity risk

Risk is not confined to the above, but these four are the ones that popped into my head.

Asset risk is the loss of the laptop, of course. If you're out a computer, you'll have to get a new one that at least has the same functions and capabilities as the one you just lost. Essentially, if you're out a laptop, you'll probably have get a new one. Insurance is about the only way to mitigate this risk unless you're willing to engage in some unorthodox asset risk mitigation practices, such as stealing the same exact model to replace your old one. Such mitigation carries additional risks, such as jail time.

Data breach risk is the danger of having your--or others'--sensitive and private data exposed, such as SSNs, passwords and access to on-line bank accounts, tax returns, or other information. The only to mitigate this risk is to use data protection tools. When security experts are asked, most will agree that encryption software is about the only tool that truly effectively minimizes data breach risks.

Data loss risk is the danger of losing your data permanently. Be it a list of customer SSNs that are encrypted, your college honors thesis, or a folder full of family pictures, this data is lost if your laptop is lost. No amount of insurance will bring back this stuff. The only way to mitigate this particular risk is to backup data.

Finally, the risk of lost opportunities is the "risk" you face while you wait around for your company to pay up for a new laptop. While you're waiting, you're out a laptop. The only way to mitigate this risk is to have a second computer available, just in case. Or, you could borrow a friend's or use a public computer, but you'd be hampered, and this leads to lost opportunities.

I'm nitpicking, but Protect your bubble should rewrite the above quote so that it puts the cost of replacing a laptop front and center. Otherwise, people might think that the offered financial product covers more than it actually does.

Related Articles and Sites:
http://www.protectyourbubble.com/li-laptop-insurance.html