Payment Card Industry (PCI) Data Security Standard and ...

Payment Card Industry (PCI) Data Security Standard and ...

Educause Security Professionals Conference 2007 Roundup of Legal Developments in Cubersecurity & Privacy Law M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC Interim Director of Privacy and Cybersecurity, Montgomery College, Rockville, MD Adler InfoSec & Privacy Group LLC Agenda Overview of Federal Security and Privacy Legislation Relating to Privacy and Security Developments in security and privacy laws and regulations over the past year Key agency actions and litigation

Adler InfoSec & Privacy Group LLC 2 Overview of Federal Security and Privacy Legislation Relevant to Higher Education Adler InfoSec & Privacy Group LLC 3 Key Laws and Regulations, Privacy Federal HIPAA, GLBA, COPPA GLBA: Gramm-Leach-Bliley Act, 15 U.S.C. 6801,6805 Adler InfoSec & Privacy Group LLC 4 GLBA - Reach

The Securities and Exchange Commission ("SEC"); 65 Fed. Reg. 40362, codified at 17 C.F.R. 248.30 (SEC) The National Credit Union Administration (NCUA); 12 C.F.R. Parts 716 (privacy) and 748 (security) Federal Banking Agencies: Interagency Guidelines Establishing Standards for Safeguarding Customer Information; 66 Fed Reg. 8616, codified as follows: The Office of the Comptroller of the Currency (OCC) , 12 C.F.R. Part 30 (Treasury) The Board of Governors of the Federal Reserve System , 12 C.F.R. Parts 208, 211, 225 and 263 The Federal Deposit Insurance Corp. ("FDIC") , 12 C.F.R. Parts 408 and 364,

The Office of Thrift Supervision ("OTS" ); codified at 12 C.F.R. Parts 568 and 570 (security) and 573 (privacy) Adler InfoSec & Privacy Group LLC 5 GLBA and Higher Education Most higher education is pulled under GLBA for processing of student loans GLBA Privacy provisions are met if the institution complies with FERPA The Security Regulations Do Apply Standards for Safeguarding Customer Information; Final Rule: 67 Fed. Reg. 36484, codified at 16 C.F.R. Part 314 (GLBA Safeguards) Adler InfoSec & Privacy Group LLC 6

Additional GLBA Provisions In addition to the imposition of safeguards, these regulations also provide for Record Disposal: FRCA (as amended by Fair and Accurate Credit Transactions Act of 2003) FACTA) 15 USC 1681 (record disposal) Breach Notification Rule Adler InfoSec & Privacy Group LLC 7 Family Education Rights & Privacy Act (FERPA)

Leading federal privacy law for educational institutions. Imposes confidentiality requirements over student educational records. Prohibiting institutions from disclosing "personally identifiable education information" such as grades or financial aid information without the student's written permission. Provides students with the right to request and review their educational records and to make corrections to those records. Law applies with equal force to electronic and hardcopy records. Adler InfoSec & Privacy Group LLC 8 Federal Information Security Act of 2002 FISMA FISMA: Federal Information Security Act of 2002, 44 U.S.C.

3537 et seq. Requires compliance with a set of standards federal government information security Federal Information Processing Standards (FIPS) NIST Standards Applies to Federal information System An information system used or operated by an executive agency, or by another organization on behalf of an executive agency May be applicable to higher education: Through government contracts Also, some federal agencies (labor) are beginning to hold fund recipients to these standards. Department of Education, National Science Foundation and National institutes of Health may do the same: See ECAR Report Page 93.

Adler InfoSec & Privacy Group LLC 9 HIPAA HIPAA: Health Insurance Portability and Accountability Act, 42 U.S.C. 1320d-2 and 1320d-4 45 C.F.R. Parts 160 and 164 Applies to health care providers, plans and clearinghouses In higher education will apply to student health services Adler InfoSec & Privacy Group LLC 10 Sarbanes Oxley Sarbanes Oxley Act, 15 U.S.C. 7241

and 7267 (SOX) Not really relevant to Higher Education, but some institutions desire to become SOX Compliant Adler InfoSec & Privacy Group LLC 11 SOX and Security Sarbanes Oxley Act, 15 U.S.C. 7241 and 7267 SOX is "basically silent" on information security, However Information Security is implicit: COBIT Standard

Certification of effectiveness of controls (404) Annual assessment and report on effectiveness of the controls (302) The SEC final rules rules require management to certify that two types of controls have been established and their effectiveness has been assessed Access Security Internal Controls Adler InfoSec & Privacy Group LLC 12 SOX Standards: COSO and COBIT Committee on Sponsoring Organization of the Treadway Commission (COSO) COSO is a voluntary private sector organization dedicated to

improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance Integrity and Ethical Values Commitment to Competence Board of Directors or Audit Committee Management Philosophy and Operating Style Organizational Structure Assignment of Authority and Responsibility Human Resource Policies and Procedures COBIT (Control Objectives for Information and related Technology) COBIT Security Baseline:

Security Policy Security Standards Access and Authentication User Account Management Network Security Monitoring Segregation of Duties Physical Security Adler InfoSec & Privacy Group LLC 13 Emerging Issues Adler InfoSec & Privacy Group LLC 14 Communications Assistance for Law Enforcement Act (CALEA)

Aug. 5, 2005, The FCC adopted a final order providing that certain wireline broadband and interconnected Voice over Internet Protocol (VoIP) services be prepared to accommodate law enforcement wiretaps pursuant to the CALEA (as a hybrid between traditional telecommunications carriers and information services) Privacy groups challenged the commission's ruling in court June 9, 2006, The U.S. Court of Appeals for the D.C. Circuit ruled that the expansion of a federal law enforcement telecommunications wiretapping law to certain broadband Internet service and VoIP providers is legal (American Council on Educ. v. FCC, D.C. Cir., No. 05-1404, petition denied 6/9/06 Adler InfoSec & Privacy Group LLC 15 Applicability of CALEA to Private Networks The FCCs Order recognized that private broadband networks

or intranets that enable members to communicate with one another and/or to receive information from shared data libraries not available to the general public . . . appear to be private networks for purposes of CALEA, and thus exempt. At the same time, however, the Order suggested that the exemption could be lost if such private networks connect to the Internet, as virtually all higher education networks do. The Order stated: To the extent that . . . private networks are interconnected with a public network, either the PSTN or the Internet, providers of the facilities that support the connection of the private network to the public network are subject to CALEA under the SRP. In subsequent meetings and press statements, the FCC declined to elaborate on the meaning of this statement. Adler InfoSec & Privacy Group LLC 16 Does the Campus Network Support the Connection to the

Internet? While the language in the FCC Order is cryptic, the FCCs court brief sets forth a more workable test: Colleges and universities that provide their own connection to the Internet are subject to CALEA (at least with respect to those Internet connection facilities), while institutions that rely on a third party for this connection are exempt. Adler InfoSec & Privacy Group LLC 17 Does the Campus Network Support the Connection to the Internet? This still leaves some gray areas, but the FCC most likely would conclude that an institution provides its own Internet connection when it constructs, purchases,

leases, or otherwise operates fiber optic or other transmission facilities and associated switching equipment that link the campus network to an ISPs point of presence. Adler InfoSec & Privacy Group LLC 18 Communications Assistance for Law Enforcement Act (CALEA) - exempt In contrast, the FCC most likely would conclude that an institution is exempt if it obtains access to the Internet by (1) contracting with an ISP or regional network to pick up Internet traffic from a campus border router, (2) purchasing a private line or other transmission service from a telecommunications carrier on a contractual or tariffed basis (as opposed to leasing dark fiber or other facilities), or (3) relying on some combination of these approaches.

If a campus network is closed (i.e., does not connect to the Internet), it is clearly exempt from CALEA under the private network exemption. Interconnected networks that support their own Internet connection appear to enjoy a limited exemption if they otherwise qualify as private. Specifically, only the gateway equipment itself is subject to CALEA the Internet portions of a private network remain exempt. Adler InfoSec & Privacy Group LLC 19 Communications Assistance for Law Enforcement Act (CALEA) deadlines The CALEA compliance deadline remains May 14, 2007, and applies equally to all facilities-based broadband access providers and interconnected VoIP service providers, with restricted availability of compliance extensions.

Carriers are permitted to meet their CALEA obligations through the services of Trusted Third Parties (TTP) including processing requests for intercepts, conducting electronic surveillance, and delivering information to LEAs. However, carriers remain responsible for ensuring the timely delivery of information to the LEA and protecting subscriber privacy, as required by CALEA. Adler InfoSec & Privacy Group LLC 20 Discovery Rules The pretrial devices that can be used by one party to obtain facts and information about another party in order to assist the partys preparation for trial. - Blacks Law Dictionary The Federal Rules of Civil Procedure (and most state law) provides the following discovery tools:

Depositions Upon Written or Oral Written Questions (Rules 30, 31 and 32) Written Interrogatories (Rule 33) Production of Document or Things (Rule 34) Permission to Enter Upon Land for Inspection and Other Purposes (Rule 34) Physical and Mental Examinations (Rule 35) Requests for Admission (Rule 36) Tools to Ensure or Excuse Discovery

Motion to Compel (Rule 37(a)) Sanctions (Rule 37 (b), (c)&(d)) Protective Orders (Rule 26(c)) Adler InfoSec & Privacy Group LLC 21 E-Discovery: 12/2006 New and amended rules of civil procedure governing the treatment of electronically stored information (ESI) are expected by December of this year. These Rules are broken into the following categories: Early attention to electronic discovery issues: Rules

16 and 26(f) Better management of discovery into ESI that is not reasonably accessible: Rule 26(b)(2) New provision setting out procedure for assertions of privilege after production: Rule 26(b)(5) Interrogatories and Requests for Production of ESI: Rules 33 and 34 Application of sanctions rules pertaining to ESI: Rule 37 Adler InfoSec & Privacy Group LLC 22 Real ID Act Real ID Act (H.R. 1268) Part of a supplemental bill funding wars in Iraq and Afghanistan (Signed May 2005)

Will tighten requirements for identification cards acceptable to the federal government, require proof that an applicant is legally in the country, and require state participation in a national driver's license data sharing program Tasked the DHS with proposing regulations to implement minimum standards for identification cards acceptable for federal government purposes, such as boarding a domestic airline flight Requires data exchange between the states and between individual states and the Federal government. Commercial airline passengers would have to provide the new card or a passport to board a U.S. plane Amounts to the first step toward creation of a national identification card which raises concerns about ensuring the privacy and security of information being shared Adler InfoSec & Privacy Group LLC 23 New Laws

Veterans Benefits, Health Care, and Information Technology Act of 2006" (S. 3421). Undertaking Spam, Spyware, and Fraud Enforcement Beyond Borders Act" (S. 1608 Requires the VA to adopt rules for notifying veterans in the case of breach of their personal data Signed December 22, 2006 Known as the US SAFE WEB Act (S. 1608), authorizes the FTC to share information with foreign agencies that treat consumer fraud and deception as a criminal law enforcement issue. Signed December 22, 2006 Telephone Records and Privacy Protection Act of 2006 (HB 4709)

Anti-pretexting law Signed by the President January 12, 2007 Adler InfoSec & Privacy Group LLC 24 Pending Federal Notice of Breach Legislation Adler InfoSec & Privacy Group LLC 25 Federal Efforts Notice of Security Breach, Senate Senate: S 495, Personal Data Privacy and Security Act of 2007 (PDPSA), Leahy Specter Bill. S. 239, Notification of Risk to Personal Data Act of 2007

Both would preempt state law Differ in terms of safe harbor, exemptions, penalties, notice procedures Adler InfoSec & Privacy Group LLC 26 Federal Notice of Breach Law Status Personal Data Privacy and Security Act of 2007 would, among other things, require organizations to notify consumers of security breaches mandates the adoption of internal policies to protect personal data. Adler InfoSec & Privacy Group LLC

27 Leahy-Specter 2007 Security Program Requires companies that have databases with personal information on more than 10,000 Americans to: establish and implement data privacy and security programs, and vet third-party contractors hired to process data. There are exemptions for companies already subject to data security requirements under Gramm-Leach-Bliley and the Health Information Portability and Accountability Act. Adler InfoSec & Privacy Group LLC 28 Leahy-Specter 2007

Personal Data Privacy and Security Act of 2007 would: Make it a crime to intentionally or willfully hide a security breach; Provide consumer access and correction rights to information held by commercial data brokers; Require companies to notify authorities of breaches; Require government agencies to adopt privacy protection rules when agencies use information from commercial data brokers; and Require audits of government contracts with commercial data brokers. Adler InfoSec & Privacy Group LLC 29

Leahy-Specter 2007 Required Notices Requires notice to law enforcement, consumers and credit reporting agencies when digitized sensitive personal information has been compromised. The trigger for notice is tied to significant risk of harm with appropriate checks-andbalances to prevent over-notification as well as underreporting. There are exemptions for national security and law enforcement needs, credit card companies using fraud-prevention techniques or where a breach does not result in a significant risk of harm. Adler InfoSec & Privacy Group LLC 30 Federal Efforts Notice of

Security Breach, House The "Data Security Act of 2007" (H.R. 1685), sponsored by second term Rep.Tom Price (R-GA), would require businesses and federal government agencies to notify individuals if their sensitive personal or financial information is compromised through a data security breach. The "Cyber-Security Enhancement and Consumer Data Protection Act of 2007" (H.R. 836), introduced Feb. 6 by Rep. Lamar Smith (R-TX), ranking member of the Judiciary Committee, and eight other GOP cosponsors, would require notification of federal law enforcement officials of certain data breaches and provide criminal and civil penalties for knowingly concealing such breaches The "Data Accountability and Trust Act" (H.R. 958), introduced by Reps. Bobby Rush (D-Ill.) and Cliff Stearns (R-FL). The bill's goal is to curb identity theft. It would require companies to implement data security programs and to notify individuals affected by a data security breach It would require business to notify individuals if their personal information is compromised in a data breach incident. In addition, businesses would be required to notify the FTC of the breach. Adler InfoSec & Privacy Group LLC

31 Federal Breaches Staff report of the Committee on Government Reform, dated October 13, 2006 Report found: Data breach incidents in federal agencies since January 2003 have been more widespread and numerous than previously disclosed All 19 Departments and agencies reported at least one loss of Personally Information (PI) since 1/1/03 Agencies do not always know what has been lost

Physical security of data is essential Contractors are responsible for many of the reported breaches Veterans Benefits, Health Care, and Information Technology Act of 2006" (S. 3421). Requires the VA to adopt rules for notifying veterans in the case of breach of their personal data Signed December 22, 2006 Adler InfoSec & Privacy Group LLC 32 State Notice of Breach Legislation Adler InfoSec & Privacy Group LLC 33 1st Law on Notice of Security Breach SB 1386

Applies to all companies in California or that do business in California Companies must disclose any security breaches to each affected California customer whose PI has been compromised. Personal information (notice triggering information) is individuals first name or first initial, combined with the last name, plus any one of the following identifiers: (1) Social Security number (2) drivers license number or California Identification Card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to the account. Failure to comply may result in lawsuits and damages. Adler InfoSec & Privacy Group LLC 34 Since ThenState Breach Notice Laws Proliferate

Arizona (Ariz. Rev. Stat. 44-7501 ) Arkansas (Ark. Code 4-110-101 et seq. ) California (Cal. Civ. Code 1798.82 ) Colorado (Col. Rev. Stat. 6-1-716 )

Connecticut (Conn. Gen Stat. 36A-701(b) ) Delaware (De. Code Florida (Fla. Stat. 817.5681 ) tit. 6, 12B-101 et seq. ) Georgia (Ga. Code 10-1-910 et seq. ) Hawaii (Hawaii Rev. Stat. 487N-2 )

Idaho (Id. Code 28-51-104 to 28-51-107 ) Illinois (815 Ill. Comp. Stat. 530/1 et seq. ) Indiana (Ind. Code 24-4.9 ) Kansas (Kansas Stat. 50-7a01, 50-7a02 (2006 S.B. 196, Chapter 149) ) Louisiana (La. Rev. Stat. 51:3071 et seq. ) Maine (Me. Rev. Stat. tit. 10 1347 et seq. ) Adler InfoSec & Privacy Group LLC 35 and Proliferate!

Michigan (2006 S.B. 309, Public Act 566) Minnesota (Minn. Stat. 325E.61, 609.891 ) Montana (Mont. Code 30-141701 et seq. ) Nebraska (Neb. Rev Stat 87-801 et. seq. ) Nevada (Nev. Rev. Stat. 603A.010 et seq. ) New Hampshire (N.H. RS 359C:19 et seq. ) New Jersey (N.J.Stat. 56:8-163 ) New York (N.Y. Bus. Law 899-aa ) North Carolina (N.C. Gen. Stat 75-65 ) North Dakota (N.D. Cent. Code 51-30-01 et seq. )

Ohio (Ohio Rev. Code 1349.19, 1347 et seq. ) Oklahoma (Okla. Stat. 74-3113.1 ) Pennsylvania (73 Pa. Cons. Stat. 2303 ) Rhode Island (R.I. Gen. Laws 11-49.2-1 et seq. ) Tennessee (Tenn. Code 47-18-2107 ) Texas (Tex. Bus. & Com. Code 48.001 et seq. ) Utah (Utah Code 13-44-101 et seq. ) Vermont (Vt. Stat. Tit. 9 2430 et seq. ) Washington (Wash. Rev. Code 19.255.010 ) Wisconsin (Wis.Stat. 895.507 ) Wyoming (SF 53)

Adler InfoSec & Privacy Group LLC 36 2007 Notice of Breach Proposed Legislation Alaska (H.B. 31, S.B. 21) Arizona (S.B. 1042) District of Columbia (B16-810) Illinois (H.B. 3743, H.B. 4198, S.B. 209, S.B. 1479, S.B. 1798, S.B. 1899, S.B. 3040) Kentucky (HB 7) Massachusetts (H.B.

4775) Maryland (HB 208, S 194) Mississippi (S.B. 2089) Montana (S.B. 33) New Jersey (A.B. 259, A.B. 2104, A.R. 190, S.R. 51) Oregon (SB 583) South Carolina (H.B. 3035, S.B. 8, SB 453) Adler InfoSec & Privacy Group LLC 37

State Breach Notification Laws Most of the laws require notification if there has been, or there is a reasonable basis to believe that, unauthorized access that compromises personal data has occurred Some states have some form of harm or risk threshold, under which entities need not notify individuals of a breach if an investigation by the covered entity (sometimes in conjunction with law enforcement) finds no significant possibility that the breached data will be misused to do harm to the individual Some state laws may require certain security standards, e.g., California, but there may be others. Adler InfoSec & Privacy Group LLC 38 State Breach Notice Laws

Generally, the State Data Breach laws were modeled on California's S.B. 1386. The laws: apply only to breaches of unencrypted personal information, and require written notification after a breach is discovered; at a minimum, define "personal information -- as a name, in combination with a Social Security number, driver's license or state identification number, or financial account or debit card number plus an access code --the breach of which triggers the need to notify consumers; give states Attorney General enforcement authority; allow for a delay in notification if a disclosure would compromise a law enforcement investigation, except Illinois; allow substitute notice to affected individuals via announcements in statewide media and on a Web site if more than 500,000 people are affected or the cost of notification would exceed $250,000 --Rhode Island, Delaware, Nebraska, Ohio set lower thresholds; and some provide a safe harbor for covered entities that maintain internal data security policies that include breach notification provisions consistent with state law. Adler InfoSec & Privacy Group LLC 39 2006 Higher Education Security Breaches

Virginia Commonwealth University, 2100 affected Human error caused the names, Social Security numbers and e-mail addresses of about 2,100 current and former Virginia Commonwealth University students to be available online for eight months, the school says. VCU announced yesterday that it is contacting affected students, but there is no indication that their information has been viewed or used. According to VCU, the personal information of freshmen and graduate engineering students from the fall semester of 1998 through 2005 was unintentionally placed in a folder available on the Internet. VCU said the problem was discovered Tuesday by a student who Googled her name and found personal information. The data became exposed in January when files on a School of Engineering server were moved to an insecure folder. (Timesdispatch.com, September 1, 2006) Adler InfoSec & Privacy Group LLC 40 2006 Higher Education Security Breaches Vermont State Colleges, 20,000 affected Two unions representing workers in the Vermont State College system want the administration to pay the costs of protecting workers' personal information lost when a laptop computer was stolen. Many employees are worried about

what the loss of information such as Social Security numbers, birth dates, home addresses and bank account numbers could mean for them. . . . The laptop was stolen Feb. 28 in Montreal from the car of a Lyndon State College information technology employee. It contained six years worth of personal and financial information of an estimated 20,000 present and former employees and students at all five state colleges. (Associated Press Newswires, April 9, 2006) Adler InfoSec & Privacy Group LLC 41 2006 Higher Education Security Breaches Georgetown University, 41,000 affected A cyber attack on a Georgetown University computer server that exposed personal information on 41,000 elderly District residents was discovered almost three weeks ago during a routine, internal inspection, a university spokesman said yesterday. . . . The invaded server was used by a researcher to monitor services provided to the elderly for the D.C. Office on Aging. The personal information, including names, birthdates and Social Security numbers, was supplied by about 20 groups that contract with the Office on Aging to serve the elderly. (The Washington Post, March 5, 2006)

Adler InfoSec & Privacy Group LLC 42 2006 Higher Education Security Breaches University of South Carolina, 1400 affected University of South Carolina officials are advising students to watch their credit reports after the Social Security numbers of as many as 1,400 students were mistakenly emailed to classmates. A department chairwoman distributing information about summer classes accidentally attached a database file to an e-mail she sent Sunday. The database included students Social Security numbers. (Associated Press Newswires, April 14, 2006) Adler InfoSec & Privacy Group LLC 43 2006 Higher Education Security Breaches University of Texas Austin, 106,000 affected Whoever hacked into the computer system at the University of Texas at Austin's business school obtained the names and Social Security numbers of 106,000 people, including all faculty and staff, most students and about half

the alumni, a UT official said Monday. . . . [Dan] Updegrove said student academic information, alumni personal financial information and credit card information was not exposed. (Associated Press Newswires, April 24, 2006) Adler InfoSec & Privacy Group LLC 44 2007 Higher Education Security Breaches University of Idaho, 331,000 affected Three desktop computers disappeared from the University of Idaho's Advancement Services office containing personal data of alumni, donors, employees and students. While an internal investigation shows that as many as 70,000 SSNs, names and addresses may have been on the harddrive, the school is notifying 331,000 people who may have been exposed. The computers "went missing" over Thanksgiving. Police asked the school to delay notice for investigative purposes. Adler InfoSec & Privacy Group LLC 45 2007 Higher Education Security Breaches

University of Missouri, 2500 affected A hacker broke into the University of Missouri's Research Board Grant Application System and gained access to the SSNs of at least 1,220 researchers. The passwords for more than 2,500 people may well have been compromised, according to a college spokesperson, which could lead to exposure of information. Adler InfoSec & Privacy Group LLC 46 2007 Higher Education Security Breaches Georgia Tech University, 3000 affected An unauthorized access to a Georgia Tech computer may have compromised about 3,000 current and former employees. The stolen info includes names, addresses, SSN, and other sensitive information including about 400 state purchasing card numbers. Adler InfoSec & Privacy Group LLC 47 Cost of Security Breaches Ponemon Institute Survey - 31 companies that faced data

breach incidents in 2006, ranging from loss of 2,500 records to 263,000 records and resulted in a total loss of 815,000 compromised customer records The average total From 2005 to 2006 there was 30% increase in cost of breach to average cost of data each company was breach incidents to $183 $4.8 million. per lost customer record The reported costs of comprised of: each breach ranged Average Direct Costs from $226,000 to $22 $54 (8% increase) million, Lost Productivity - $30 Total reported costs per lost record (100% for all of the increase) breaches was $148

Costs of Keeping million. Existing and Getting New Clients - $99 per lost record (31% Adler InfoSec & Privacy Group LLC increase). 48 Security Breach Survey Other Findings from the Ponemon Survey: Nearly 30% of the reported breaches involved data lost by contractors, consultants, or other external partners. Over 90% of the breaches involved the loss of electronic data rather than paper documents. 35% of the total breach incidents reported Lost or stolen laptop computers. Only 10% of the reporting companies had an expert, such as a privacy, security or compliance officer, in place to handle breach recovery efforts

2006 Annual Study: Cost of a Data Breach" is available from the Ponemon Institute at [email protected] Adler InfoSec & Privacy Group LLC 49 Federal Spyware Legislation Adler InfoSec & Privacy Group LLC 50 Proposed Federal Spyware Legislation H.R. 964 ("Securely Protect Yourself Against Cyber Trespass Act") (Spy Act) Rep Mary Bono, (formerly H.R.2929; formerly H.R.29) Status: Passed House, May 23, 2005. Reintroduced, February 8, 2007. Prohibits certain specific practices except with user authorization. Requires notice, consent,

and uninstall capability for certain information collection and advertising programs. Leaves many key details to the Federal Trade Commission. Grants enforcement power only to the FTC. Preempts existing state laws about spyware. Adler InfoSec & Privacy Group LLC 51 State Spyware and SSN Legislation Adler InfoSec & Privacy Group LLC 52 Spyware State Laws

Alaska S. 140 (Pop-Up Ads) Arizona HB 2414 Arkansas SB 2904 California SB 1436, SB 92 Georgia SB 127 Iowa HF 614 Louisiana HB 690 New Hampshire Chapter 238

New York A. 891F Rhode Island HB 6811 Tennessee (SB 2069) Texas SB 327 Utah HB 104, amending HB 323 Virginia HB 2471

Washington HB 1012 Adler InfoSec & Privacy Group LLC 53 Spyware Proposed 2007 Illinois (SB 1199, SB 1495) - proposed (Civil Penalties) Maine (LD 1029) Proposed Massachusetts (SD 1800, HD 460) Michigan (SB 145) Proposed (allows private causes of action)

Missouri (HB 993) - Proposed (Criminalizing) Mississippi (SB 2261) Proposed New York (s 3655, S 1459, A 340) - Proposed Pennsylvania (HB 755) Proposed Adler InfoSec & Privacy Group LLC 54 2006 State Social Security Laws Over the last two years the number of states with some sort of SSN restriction law has grown from eight to 25. The following are those that passed over the last year:

Pennsylvania - Social Security Number Privacy Act (H.B. 2134), 11/29/06 New York, S. 6909C, 9/26/06 Hawaii, Social Security number protection bill (Act 137), 5/25/06 Minnesota, S.F. 3132, 5/25/06 Tennessee, P.A. 06-555, 4/24/06 Colorado, H.B. 1156, 3/31/06 Wisconsin, A.B. 536, 3/16/06 Adler InfoSec & Privacy Group LLC 55 Typical SSN Use Prohibitions The Social Security Laws vary widely from stateto-state. Some prohibitions on SSN uses that are common are as follows: public posting of SSN information;

use of SSNs on registration and service cards; requiring SSNs for access to Web sites; transmitting SSN data over the Internet; sending mail with visible SSNs; putting SSNs on faxes; using SSNs as an employee ID number; using SSNs as customer account numbers; printing SSNs on pay stubs; and selling SSNs. Adler InfoSec & Privacy Group LLC 56 Agency Actions and Litigation Adler InfoSec & Privacy Group LLC 57 FTC Authority Section 5 of the FTC Act (FTCA) permits the FTC to bring an action to address any unfair or deceptive trade practice that occur in the course

of commercial activities Deceptive trade practice is any commercial conduct that includes false or misleading claims or claims that omit material facts Unfair trade practices are commercial conduct that causes substantial injury, without offsetting benefits and that consumers cannot reasonably avoid While this is not relevant to higher education, understanding how these cases are enforced helps to prepare for GLBA enforcement Adler InfoSec & Privacy Group LLC 58 FTC Authority to Investigate

FTC has broad authority to investigate and bring actions May work with company to resolve the matter Where a pattern of non-compliance or egregious behaviors are involved, FTC will bring an enforcement action These actions usually result in settlements through consent decrees that include an FTC mandated privacy and security program Adler InfoSec & Privacy Group LLC 59 Enforcement/Consent Orders - FTCA Section 5 Unfair and Deceptive Trade Practices Violations for Erroneous Representations in Posted Privacy Practices Consent Orders Eli-Lilly (1/18/02) Information about Prozac users Microsoft (8/8/02)

Technology not as secure as claimed, but no security breach uncovered Tower Records (4/21/04) Security flaw in the companys web site exposing customers personal information Guess? (6/18/03) Failed to use reasonable and appropriate measures to protect customers personal information Petco Animal Supplies (11/ 11/04) Failed to use reasonable and appropriate measures to protect customers personal information Vision I Properties, LLC (3/10/05) Adler InfoSec & Privacy Group LLC 60 FTC Enforcement - Security Practices that "threaten data security" under the FTC Act's unfair practices prong:

In the matter of BJs Wholesale Club, FTC No. 042-3160, 6/16/2005 In the Matter of DSW, Inc., FTC, No. 0533096, 12/1/05 In re CardSystems Solutions Inc., FTC, File No. 052 3148, consent order 9/5/06 Adler InfoSec & Privacy Group LLC 61 Limitation of FTC Authority FTC: cannot regulate industries that are otherwise regulated (e.g., financial industries, common carriers) Does not apply to non-profits

may nevertheless work closely with these other industries may share enforcement authority with other agencies/authorities (e.g., DOJ) Adler InfoSec & Privacy Group LLC 62 GLBA Safeguards Enforcement Violations of GLBA Safeguards Rule (FTC) In re Sunbelt Lending Services, FTC, File No. 042-3153, 11/16/04) In the Matter of Nationwide Mortgage Group, Inc., and John D. Eubank, FTC File No. 042-3104 4/15/05 In re Superior Mortgage Corp., FTC, File No. 052 3136, 9/28/05

Adler InfoSec & Privacy Group LLC 63 FTC Privacy and Security Programs in Consent Decrees Originally, FTC would bring these actions due to a misrepresentation of privacy and security protections contained in a companys privacy notice or other document Consent order includes a requirement to establish and maintain a security and privacy program, including: Training and proper oversight of employees and agents Identification of reasonably foreseeable risks Design and implementation of reasonable and

appropriate safeguards Regular evaluation of the program Adler InfoSec & Privacy Group LLC 64 FTC Privacy and Security Programs in Consent Decrees (cont.) An obligation to have the privacy and security program reviewed annually by an independent qualified third party (i.e., CISSP or other qualified party) A requirement to provide certain documents related to the representations made about the companys programs and compliance upon request by the FTC An obligation to notify the FTC of any change

which may affect the companys compliance A final written report of compliance upon request by the FTC Adler InfoSec & Privacy Group LLC 65 SB 1386 Litigation Parke v. CardSystems Solutions Inc., Cal. Super. Ct., No. CGC-05-442624. Class Action continues in 2006, despite settlement with FTC Status Conference February 3 Status Conference March 7 Basis of Claim

Defendants negligent in permitting CardSystems to process credit card transactions when they knew or should have known that the company failed to comply with Credit Card Industry Data Security Standards (PCIDSS). Separate VISA and MasterCard data security standards formed the basis for that common set of data protection standards Adler InfoSec & Privacy Group LLC 66 Civil Suits for Security/Privacy Breaches Lambert v. Hartmann, No. 1:04cv837 (S.D. Ohio Dec. 29, 2006)

Plaintiff claimed constitutional right of privacy when SSN was published on the Web The court held SSN are not constitutionally protected against publication on the Web . The plaintiff's claimed damages are merely financial and the constitutional right of privacy is not implicated. Adler InfoSec & Privacy Group LLC 67 Civil Suits for Security/Privacy Breaches Guin v. Brazos Higher Educ. Serv. Corp. Inc., No. 05-668 (D. Minn. Feb. 2,2006) loan company lost Plaintiff's laptop that included his financial data in unencrypted form. The court held

that heightened risk of identity theft was insufficient to win a negligence action that there was no duty to encrypt data under the Gramm-Leach-Bliley Act, so no negligence when an employee took unencrypted data home on a laptop. The court determined that the employer had a data protection policy in place, and that it followed it even though the data was lost. Adler InfoSec & Privacy Group LLC 68 Civil Suits for Security/Privacy Breaches Key v. DSW Inc., 454 F. Supp. 2d 684 (D. Ohio 2006); Bell v. Acxiom Corp., No. 4:06CV00458-WRW (E.D. Ark. Oct. 3, 2006)

In both the court cited Guin for the proposition that a mere fear of identity theft is not a sufficient injury to support a negligence action or to create standing to sue in federal court. Adler InfoSec & Privacy Group LLC 69 Civil Suits for Security/Privacy Breaches CollegeNET Inc. v. XAP Corp., 442 F. Supp. 2d 1070 (D. Ore. 2006) In a dispute between competing online marketers, Court held that the defendant was engaged in unfair competition when it collected names of prospects through the use of a deceptive opt-in/opt-out policy and instructed jury that it is possible to put a monetary value on personal

information A jury later concluded that the plaintiff's damages were $4.5 million. Adler InfoSec & Privacy Group LLC 70 Contact Information M. Peter Adler Adler InfoSec & Privacy Group LLC 2103 Windsor Road Alexandria, VA 22307 Telephone: (202) 251-7600 Facsimile: (703) 997.5633 Email: [email protected] Adler InfoSec & Privacy Group LLC 71

Recently Viewed Presentations

  • WWB Training Kit #19 Helping Children Express Their

    WWB Training Kit #19 Helping Children Express Their

    WWB Training Kit #19 Helping Children Express Their Wants and Needs Activity 1 Pair-Think-Share Pair with a partner Identify some ways in which children make their wants and needs known Think about how communication difficulties could affect this ability Share...
  • LabVIEW Hands-On Seminar [01 Intro]

    LabVIEW Hands-On Seminar [01 Intro]

    It is similar to flow-charting your code as you are writing it. LabVIEW makes you productive because you can write your program in significantly less time than if you wrote it in a text-based programming language. LabVIEW—Proven Productivity 6 ©National...
  • Administrative Details - Tel Aviv University

    Administrative Details - Tel Aviv University

    Pollards rho (ρ) method Imagine the following process mod pq: x0 - random xi+1 = xi2+1 mod pq This will loop only after (pq)1/2 steps (modulo pq) However, modulo p (or q) it will loop after p1/2 (or q1/2) steps...
  • The Crisis Itself (1998-2002)

    The Crisis Itself (1998-2002)

    Background Argentina has a history of chronic monetary, economic, and political problems. In 1810, it declared independence from the Spanish Government. No stable government ruled until 1862. Background Late 1800s: Steady growth and a booming economy due to beef exports...
  • UML Diagrams - Franklin University

    UML Diagrams - Franklin University

    UML Diagrams A tool for presentation of Architecture UML origins 80's and early 90's - explosion of modeling methods and notations Not to mention competition among methods people The "three amigos" (Booch, Jacobson, Rumbaugh) were working on the UML by...
  • Safety in the Classroom

    Safety in the Classroom

    Folding Tables Folding tables can be dangerous if not set up properly. Be cautious of allowing students to move them or set them up. Food If having a snack or party, be aware of food contents; students may have allergies...
  • Tournament Schedule - HomeTeamsONLINE

    Tournament Schedule - HomeTeamsONLINE

    Times New Roman Default Design Bitmap Image 2015 18U Northern Ohio Hurricanes Saturday January 3, 2015 - First Practice Staff Schedule Tournament Schedule Team Rules The Mental Game of Baseball A Guide to Peak Performance - H.A. Dorfman & Karl...
  • The importance of using the internet

    The importance of using the internet

    Chuck Hughes is a consumer activist based in Santa Barbra. He has served consumers on MH, MHSA as well as Community based organizations panels and committees. He is also the current web manager of the CNMHC South Region, CNMHC Far...