AlertBoot Endpoint Security : security

Connecticut Personal Information Data Privacy Notification And Encryption Laws: Sec. 36a-701b

sang_lee — Thu, 02 Sep 2010 03:58:00 GMT

Connecticut currently has a data breach notification law on its books. Like many states, the use of encryption tools, such as full disk encryption for laptop data protection, provides safe harbor from sending out notification letters in the event of a data breach.

I just had to take a look into it after yesterday's post on Connecticut's insurance data breach notification directive.

The state's notification law is surprisingly short.

Data Encryption Provides Safe Harbor From Breach Notification

Connecticut is one of those states that does not twist language and logic in order to essentially say, "if you used encryption to protect data, you're golden." Many state laws provide safe harbor by defining personal information as "unencrypted personal information." Then, they mandate notification letters in the event of a data breach of personal information.

Since encrypted personal information is by definition not personal information (see how convoluted that is?), the breach of encrypted personal information does not require breach notifications. No such non-sense with Connecticut. Here's their definition of a breach:

For purposes of this section, "breach of security" means unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [Sec. 36a-701b(a)]

Oh, my! How stupendously direct and clear that is! Honestly, I've got to congratulate the Connecticut legislature for making things so easy to comprehend.

I mean, certainly there are loopholes (would password-protection be considered a method that "renders the personal information unreadable or unusable?" I would not). However, you don't have jump and hop over different sections to figure out what's going on.

Note how the breach is relegated to computerized data only. This is something of an antiquated definition of a data breach. Notification ought to be extended to paper records as well, just like the CT Insurance Commissioner mandated to its registered entities.

In fact, many states are updating data breach notification laws to include information breaches of paper documents.

What Is Considered A Personal Information Security Breach In Connecticut?

According to the law "personal information" is the first name (or initial) and last name combined with:

Social security number

Driver's license or state ID information

Financial information, such as account numbers, credit card numbers, etc.

Nothing surprising here.

What Needs to Be Included In The Customer Notification Letter?

There are no specifics on what needs to be included in notification letters, although this is not uncommon. Many states do not specify content requirements, although those that do generally tend to include the following:

The incident in general terms;

The type of personal information that was subject to the unauthorized access and acquisition;

The general acts of the individual or entity to protect the personal information from further unauthorized access;

A telephone number that the person may call for further information and assistance, if one exists; and

Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

There are exceptions to sending notification letters if the cost of doing so involves or exceeds 500,000 people or $250,000, respectively. In that case, substitute notices can be sent out as long as all of the following are adhered to:

E-mail is sent out, for affected persons whose electronic addresses are on file

Conspicuous posting on the breached entity's website

Notification to state-wide media

Penalties

No specific penalties are listed for not complying with CT's breach notification legislation. However,

Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General. [Sec. 36a-701b(g)]

I would suggest the use of AlertBoot endpoint encryption vs. having to deal with all of the above if and when things go awry. I mean, why not take advantage of a safety net (in the form of encrypted data) if you're being afforded one?

Related Articles and Sites:
http://www.cga.ct.gov/2009/pub/chap669.htm#Sec36a-701b.htm

Connecticut Insurance Data Breach Notification Rules: No Safe Harbor For Data Encryption

sang_lee — Wed, 01 Sep 2010 02:21:00 GMT

The Connecticut Insurance Commissioner issued Bulletin IC-25 earlier this month, officially instructing all Department of Insurance Regulated Entities to "notify the Department of any information security incident[s]." The use of data encryption won't be grounds for granting safe harbor, a departure from the State's own personal information breach disclosure laws.

The order to inform the Department extends to the breach of paper records as well--not just digital data found in computers, external drives, etc.--and entities will have give notification within five calendar days after the breach is found. Notification has to be in writing: first class mail, overnight delivery, and e-mail are given as options.

The bulletin is quick to point out that it knows that maintaining good information security is overwhelming for any business. In fact, it even "expects" it to be so, which means, I guess, the Department is aware that information security breaches are something it will have to live with (but, of course, continuously work to eliminate). The latest mandate is not meant as a punitive measure:

The Department's concern is to make certain that in addition to minimizing these incidents, licensees and registrants react quickly and affirmatively to let affected Connecticut consumers know that they may be at risk and what is being done to protect sensitive and confidential information. The Department also wants to make sure that there is an opportunity for the Department to actively monitor the situation and guarantee those consumer protections throughout the process.

On the other hand, the Insurance Commissioner also notes:

Each incident will be evaluated on its own merits and depending on the circumstances, some situations may warrant imposition of administrative penalties by the Department. To minimize that potential, licenses and registrants are urged to follow these procedures.

I'm sure that penalties will be assessed in only the most egregious circumstances.

The bulletin itself is a short read, only 4 pages long, and also contains:

Definitions on what comprises an information security incident

What must be included in the content of the notification letter

Where the Department gains its authority to mandate notification

A list of Regulated Entities that needs to

In closing, I should point out that the now-mandatory notification under Bulletin IC-25 is to the Department only. As far as I can tell, it's up to the breached companies to figure out whether their clients should be notified of the breach as well.

I guess that makes sense, and it also helps explains why the use of encryption software is not grounds for safe harbor, at least not for reporting to the Department itself.

If sensitive information is breached but clients are not at risk because encryption is used...well, the clients don't really need to be alerted to the fact that "you're still safe." However, not being informed of a breach doesn't really help the Department figure out the overall picture, and that's what it really seems to want.

Encryption For E-Mail: Electronic Mail Is Leading Cause For Enterprise Data Loss

sang_lee — Mon, 30 Aug 2010 22:30:00 GMT

Informationweek.com points out that electronic mail is still the leading cause of data breaches at companies, despite its use being "on the wane" due to inroads by new social media. The same technology--such as laptop encryption software from AlertBoot--that guards data stored on computers can also be applied successfully to protect outgoing e-mails.

Some Stats

According to informamtionweek.com:

35% of large enterprises launched investigations into data leaks via e-mail in 2009

72% are worried about personal and financial information breaches via outbound e-mail

71% are also concerned about ex-workers e-mailing trade secrets and other corporate secrets via e-mail

48% performs audits of outbound e-mail

37% have employees monitoring the contents of outbound e-mail (33% have people whose jobs are exclusively reading and analyzing such e-mail)

Readers will readily note that some of the practices listed above are not exactly preventative, nor do they come close to being preventative. For example, audits of outbound e-mail, while necessary in order to get a grip on whether current security is adequate, cannot do much to secure information that has already been sent out to an outside party. Even if the audit were to catch it relatively quickly, there's no way to prevent the receiving party from reading it.

Another example is a situation where an e-mail is sent with an attachment that contains sensitive information. The correct person received it; however, the e-mail should have been encrypted due to the sensitive nature of the attachment. An auditor runs across the situation, but if the company does business in Sin City, it's already afoul of Nevada's data breach law, which was amended one year later: e-mails that contain personal information, such as SSNs, must be encrypted.

Email Encryption, Automated

Human monitoring and auditing is needed, and this fact won't change for the foreseeable future. However, a company can make inroads into securing their e-mails.

DLP (Data Loss Prevention) solutions exist out there that will actively encrypt any e-mails that contain sensitive information, or prevent them from leaving a company's servers. It works based on filters that are set to recognize key words and number patterns. For example, a mortgage company might want to prevent any unencrypted e-mails with numbers in the xxx-xx-xxxx pattern being sent: these are probably Social Security numbers.

Likewise, a filter would be set up for Social Security, SSN, SSNs, and other key words that indicate such a number is contained within e-mails.

Combining the above with disk encryption software will ensure a broader degree of company data security. Of course, it will never be total security, which is why you also need access control (via physical locks and authorization levels), employee training in good data security practices, monitoring and auditing, etc.

However, it will go a long way in terms of reducing your company data risk profile.

Drive Encryption Software Or Laptop Insurance For Protection?

sang_lee — Fri, 27 Aug 2010 23:24:00 GMT

A UK company called Protect your bubble is offering laptop insurance for £3.99 a month (about US$6.00). While such protection products are to be welcomed, one must remember that we're talking about asset protection, not data protection, which is only possible via tools like hard disk encryption such as AlertBoot.

It's a Good Idea to Get It Insured--Just In Case. Really?

Protect your bubble states the following:

When your laptop has so many precious items on it, like all your photos, bookmarks and documents, it’s a good idea to get it insured – just in case. Plus the cost of replacing your laptop is another important reason to make sure you’re covered.

I couldn't agree--and disagree--more. Certainly, a laptop computer can be a tremendous investment, and one may want to consider insuring it. After all, these devices probably have a higher theft rate than cars, and pretty much everyone has auto theft insurance for the latter in one form or another (although, you really should check if you actually do).

Of course, vehicles tend to be much more expensive than laptops; but, the price of insurance is relative to the asset being protected. Let me pose this question, though: how is insurance going to bring back your photos, bookmarks, and documents? It's not.

"Risk" is a Catchall Word

When dealing with risk involving laptops, you have to pay attention to what you mean. Risk is a catchall term. If you want to get down to the nitty-gritty, you'd see that there are many different kinds of risks when dealing with a lost or stolen laptop computer.

Asset risk

Data breach risk

Data loss risk

Lost opportunity risk

Risk is not confined to the above, but these four are the ones that popped into my head.

Asset risk is the loss of the laptop, of course. If you're out a computer, you'll have to get a new one that at least has the same functions and capabilities as the one you just lost. Essentially, if you're out a laptop, you'll probably have get a new one. Insurance is about the only way to mitigate this risk unless you're willing to engage in some unorthodox asset risk mitigation practices, such as stealing the same exact model to replace your old one. Such mitigation carries additional risks, such as jail time.

Data breach risk is the danger of having your--or others'--sensitive and private data exposed, such as SSNs, passwords and access to on-line bank accounts, tax returns, or other information. The only to mitigate this risk is to use data protection tools. When security experts are asked, most will agree that encryption software is about the only tool that truly effectively minimizes data breach risks.

Data loss risk is the danger of losing your data permanently. Be it a list of customer SSNs that are encrypted, your college honors thesis, or a folder full of family pictures, this data is lost if your laptop is lost. No amount of insurance will bring back this stuff. The only way to mitigate this particular risk is to backup data.

Finally, the risk of lost opportunities is the "risk" you face while you wait around for your company to pay up for a new laptop. While you're waiting, you're out a laptop. The only way to mitigate this risk is to have a second computer available, just in case. Or, you could borrow a friend's or use a public computer, but you'd be hampered, and this leads to lost opportunities.

I'm nitpicking, but Protect your bubble should rewrite the above quote so that it puts the cost of replacing a laptop front and center. Otherwise, people might think that the offered financial product covers more than it actually does.

Related Articles and Sites:
http://www.protectyourbubble.com/li-laptop-insurance.html

Data Security: Guy Shoots $100,000 Server With Gun While Drunk Off His A** (Rhymes With Pass)

sang_lee — Fri, 27 Aug 2010 02:55:00 GMT

Sometimes, there is such a things as too much security. For example, instead of drive encryption software like AlertBoot, you've got a .45-caliber automatic to defend your server. Or, instead of using a magnetic degausser, you decide to empty rounds into your server using a .45-caliber automatic.

I mean, that's why you'd bring a gun into a server room, right? Right?

Guy Gets Drunk, Shoots Server, Concocts Story

Not if you happen to be Joshua Lee Campbell, 23, working at RANlife Home Loans, a mortgage company in Utah. After spending a night of drinking, he went to work, shot a $100,000 server then called the police to report the crime (and pinned it on some unknown assailant).

Of course, besides being a ludicrous story (who the heck assaults a person and then proceeds to shoot out a server?), there were signs that Mr. Campbell might have been telling a tall one:

Police "could smell alcohol and urine on him" when they arrived on the scene [deseretnews.com]

Only one computer server was shot. Nothing else happened, apparently: no other equipment was destroyed, nothing was stolen, nada [various sources]

A coworker found Campbell passed out with his pistol next to him [deseretnews.com]

An acquaintance let police know that Campbell had threatened to empty rounds into a server and save the last bullet for himself [various sources]

If I had read this story on Variety or some other Hollywood publication, I would've assumed that this was Mike Judge's follow up to Office Space. I can totally imagine the pitch: "It's like Office Space meets The Fugitive. The red stapler will have a cameo, of course. Instead of a bat to the printer, it'll be a Colt semi-automatic to a server: We've got to keep up with the times. We'll use Rick Astley's 'Never Gonna Give You Up' for irony, instead of the gangster song...."

Stuff Happens

Although I cannot imagine anyone being prepared for something like the above, the truth is that this is not the first time a company has had problems with an employee. From memory, I can think of instances where an employee planted a logic bomb; stolen hardware; stole data; hacked into company servers after being fired; and deleted files and databases.

These are real concerns, and companies have to be prepared for such scenarios, which is why data security runs the gamut of:

Limiting physical access, such as locked doors and cabinets

Limiting software access, such as securing USB ports and using encryption software with personal passwords

Regularly backing up data and storing them in safe locations

Having contingency plans

Some even claim that employees must be forced into week-long vacations once a year, just to see if anything breaks down and instances of fraud show up (something that won't happen if the person is around to manage the crisis). Man, what I'd give to have that enforced....

The point of all this rambling: data security is not just about securing data, such as using laptop encryption. You must also ensure that you can recover any necessary data for when things go wrong. Don't forget to backup information (and perhaps have that encrypted as well). The more critical the data is, and the more often it is updated, the more you need to back it up.

Mercer Health and Benefits Lost Tape Affects 380,000? So Says Idaho Power

sang_lee — Wed, 25 Aug 2010 22:52:00 GMT

Databreaches.net has a link to a FAQ created by Idaho Power, where it notes that employee information was breached when Mercer Health & Benefits lost a backup tape. The information on this tape was not protected with encryption, the same technology that powers AlertBoot endpoint security software, and it looks like the data breach has affected nearly 400,000 people.

Numerous Breach Notifications

To date, databreaches.net has found three breach notifications related to the Mercer tape loss. I, too, had mentioned something in passing earlier this month, based on the information found at databreaches.net (that site's a wonderful resource).

One of these breached companies, Idaho Power, has put up a FAQ for their employees, and has revealed a couple of things that were not apparent before.

Hundreds of Thousands Affected, Not Sure About Breach Risk

First, it has announced how many people were affected in total. Previously, we only had a partial count: a thousand with this company, another couple of hundred with that company, etc. I already knew from firsthand experience that the numbers couldn't possibly be low. Mercer is a pretty big company, and backup tapes can hold a lot of data (and they usually do).

My own conservative, and unpublished, opinion was that it would affect people in the tens of thousands, at least. Idaho Power claims it's 5,000 of their own employees plus "375,000 other individuals." In other words, approximately 380,000 people were affected by this data breach.

Second, Idaho Power has made it a point to counter Mercer's claims that, despite the lack of data encryption on the tape, the information is probably safe. From Idaho Power's FAQ:

While the tape was not encrypted, Mercer indicates it is not the type of media that is readily accessible. Idaho Power disagrees and we are moving forward with our own independent investigation. You will be informed as the investigation progresses. [my emphasis]

This is the first time I've read where a company openly disagrees with a business associate, be it a partner, a subcontractor, etc. Usually, when a company experiences a data breach through no fault of their own, that company is busy hiding the third-party company's name. For example, when The Gap had a breach back in 2007, it wouldn't mention which company actually caused the breach. I only found out earlier this year when a court case was made public.

I'm not quite sure what to make of Idaho Power's position. Does it mean that Mercer's claim--that the lost information is safe--is incorrect? Does it mean that Mercer could be right, but Idaho Power wants to make sure? Perhaps Idaho is trying to mitigate any potential lawsuits?

I know this much for sure: all of this very well could have been avoided if the information on that backup tape had been protected with encryption.