Information Security assessment must be consistent with what 3 key attributes?
- Confidentiality—access to data is limited to authorized parties
- Integrity—assurance that the data is authentic and complete
- Availability—knowledge that the data is accessible, as needed, by those who are authorized to use it
What are Security Controls?
Security controls are mechanisms put in place to prevent, detect, or correct a security incident.
What are the 3 types of Security Controls?
- Physical controls—such as locks, security cameras, and fences
- Administrative controls—such as incident response procedures and training
- Technical controls—such as firewalls, antivirus software, and access logs
Which state enacted the first data breach notification law?
California in 2003, AB 1950
What does AB 1950 require as it relates to Information Security?
That companies “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
What companies are exempt from AB 1950?
Companies already subject to greater information security requirements such as the Gramm-Leach-Bliley Act, (GLBA) or Health Insurance Portability and Accountability Act (HIPAA)
What constitutes reasonable security procedures and practices?
CSC Top 20 according to the CA AG
Which state, arguably, has the most prescriptive security law?
Massachusetts, 201 CMR 17.00
What are the 10 things the Mass security law requires?
- Designate an individual who is responsible for information security
- Anticipate risks to personal information and take appropriate steps to mitigate such risks
- Develop security program rules
- Impose penalties for violations of the program rules
- Prevent access to personal information by former employees
- Contractually obligate third-party service providers to maintain similar procedures
- Restrict physical access to records containing personal information
- Monitor the effectiveness of the security program
- Review the program at least once a year and whenever business changes could impact security
- Document responses to incidents
What are the 8 types of Data Breach Incidents?
- Unintended disclosure—sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail
- Hacking or malware—electronic entry by an outside party, malware and spyware
- Payment card fraud—fraud involving debit and credit cards that is not accomplished via hacking; for example, skimming devices at point-of-service terminals
- Insider—someone with legitimate access, such as an employee or contractor, intentionally breaching information
- Physical loss—lost, discarded or stolen nonelectronic records such as paper documents;
- Portable device—e.g., lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape
- Stationary device—lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility
- Unknown or other
What is the first step in incident management?
The first step in incident management is determining whether a breach has actually occurred.
What is the second step in incident management, if a breach has occurred?
The second step is containment and analysis of the incident.
What is the third step in incident management?
The third step in incident management is to notify affected parties.
What is the fourth step in incident management?
The fourth step is to implement effective follow-up methods, such as additional training, internal self-assessments and third-party audits where needed.
What is the framework the Office of the President’s Office of Management and Budget (OMB) gave for a security breach plan?
- Designate the members who will make up a breach response team
- Identify applicable privacy compliance documentation
- Share information concerning the breach to understand the extent of the breach
- Determine what reporting is required
- Assess the risk of harm for individuals potentially affected by the breach
- Mitigate the risk of harm for individuals potentially affected by the breach
- Notify the individuals potentially affected by the breach
What should organizations ensure that vendors are contractually required to do?
Provide training to their employees on identifying and reporting a breach, properly encrypt PII, report suspected or confirmed breaches; participate in the exchange of information in case of a breach, cooperate in the investigation of a breach, and make staff available to participate in the breach response team.
What is a typical state definition of “personal information”?
An example is Connecticut’s which defines it as “an individual’s first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number,44 (2) driver’s license number or state identification card number or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.”
How many states have PI definitions that contain additional elements?
More than half
Which states do NOT include an exception for publicly available information in their definition of PI?
Louisiana, Idaho, and Michigan
What is the typical definition of a breach?
Unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information, when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. - Connecticut
When there is unauthorized acquisition of the personal information that “compromises the confidentiality, security or integrity” of the information. - California
Who is typically notified when there is a breach?
State residents who are at risk because their personal information has potentially been exposed based on the level of unauthorized access or harm.
Note: Texas requires to notify not only Texas residents but also residents of states lacking a data protection notification law.
Who is may be required to be notified when there is a breach?
The state AG. More that half of the state require entities who detect a breach to notify the state AG or other state agencies.
How many states require that entities notify nationwide CRAs fo a data breach?
28
Do state require third party notification?
Yes, all data breach state laws require third party notification.
-
Structure of U.S. Law43
-
Enforcement of U.S. Privacy and Security Laws34
-
Information Management from a U.S. Perspective24
-
Medical Privacy22
-
Financial Privacy6
-
Chapter 9: Education Records and Technology20
-
Chapter 10: Telecommunications and Marketing28
-
Chapter 11: Workplace Privacy29
-
Chapter 12: Privacy Issues in Civil Litigation and Government Investigations3
-
Chapter 6: Information Security and Data Breach Notification Laws29
