Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
2. Data Security and Compliance:
Why It’s Important
Data breach events result in significant losses each
year.
Insurance company Lloyd’s estimates data breach events
cost companies about $400 billion per year.
In 2012, average cost to each company that had a data
breach was $5.4 million.
The average cost per compromised record is $188.00.
Common sources of loss include lawsuits filed by
individuals whose information is compromised, notification
and advertising costs, lost business/goodwill, direct theft of
funds, and ransomware (programs that affect a computer
or network and hold files hostage until a ransom is paid).
3. Data Security and Compliance cont.
Government fines and investigations.
Data security and compliance with applicable
laws/regulations must be an integral part of
every company’s risk management plan.
Ignorance of the rules is not an excuse.
4. Data Breaches are a Real Problem
Recent examples show data breaches are a growing
problem affecting companies all over the world.
Ashley Madison (Canada)
Target (Minnesota)
Home Depot (Georgia)
Sony Pictures (Japan)
Wyndham Hotels (New Jersey)
Neiman Marcus (Texas)
Medical Informatics Engineering (Indiana)
Anthem (Indiana)
All of the foregoing breaches resulted in governmental investigations and litigation
5. Legal Framework Regarding Data Security
Complex legal and regulatory framework.
There are a number of federal and state laws that address a
company’s responsibilities with respect to data security.
Some laws such as Sarbanes Oxley and the FederalTrade
Commission Act have broad applicability while others are
industry specific.
We will discuss a few of the significant laws that address
data security, discuss the requirements and potential
liability under those laws, and then provide some tips on
how to protect yourself.
6. Significant Laws, Standards, and Programs
Addressing Data Security Issues
There is no uniform set of standards that apply to every company. It is up to each company to determine
which laws apply and how to comply with them. Below are the most broadly applicable statutes.
Sarbanes Oxley
FederalTrade Commission Act
Gramm-Leach-Bliley Act
Health Insurance Portability and AccountabilityAct
Health InformationTechnology for Economic and Clinical Health Act
Fair Credit Reporting Act
Children’s Online Privacy Protection Act
Stored Communications Act
State Laws
Indiana’s Data Breach Notification Law, Ind. C ode § 24-4.9-2-2
Payment Card Industry Data Security Standards
Federal Information Security Management Act
Federal Risk and Authorization Management Program
7. Sarbanes Oxley Act of 2002
15 U.S.C § 7262
Enacted in 2002 in response to Enron and Worldcom
scandals.
Designed to protect investors and public by increasing
accuracy and reliability of corporate disclosures.
Applies to all publicly traded companies and public
accounting firms.
Section 404 calls for the creation of rules requiring
management to establish and maintain adequate “internal
controls” and assess the effectiveness of those internal
controls.
8. Sarbanes Oxley:
Application to IT Departments
While Sarbanes Oxley deals primarily with the
accuracy of financial reports, companies that are
governed by Sarbanes Oxley typically rely on IT
systems to process and store the data that is the
basis for the financial reports; thus, Section 404
is intended to require organizations to consider
the IT controls that are in place to ensure the
accuracy of the financial information.
Key to that is preventing unauthorized access to
systems and data and ensuring proper backups are
in place in the event of a disaster.
9. Sarbanes Oxley: Penalties
Sarbanes Oxley is enforced by the Securities
Exchange Commission.
Failure to comply with Sarbanes Oxley is treated
as a violation of the Securities and Exchange Act
of 1934, 15 U.S.C. § 7202.
Could carry significant penalties—up to $5,000,000 for
individuals and $25,000,000 for non-individuals if
violation is willful.
Also could lead to imprisonment. 15 U.S.C. § 78ff.
10. Sarbanes Oxley:
How to Protect Yourself
The COBIT (Control Objectives for Information and Related
Technologies) has developed a framework to assist with Sarbanes Oxley
compliance.
Sample objectives include the following:
5.16—Trust Path: ensuring that sensitive transaction data is only exchanged
over a trusted path.
5.20—Firewall Architectures and Connections with Public Networks: if
connections to the internet or public networks exist, an adequate firewall must
be installed and operative to protect against denial of services and unauthorized
access to internet resources.
5.4—User Account Management: Management should establish procedures
regarding user accounts, rules that define privileges and access, etc.
There are a number of additional objectives, and it would be worth your time
to familiarize yourself with them. http://www.isaca.org/Knowledge-
Center/COBIT/Pages/Overview.aspx
11. Federal Trade Commission Act (FTCA)
14 U.S.C. § 41
Section 45(a) states, “unfair methods of competition in or affecting
commerce, and unfair or deceptive acts or practices in or affecting
commerce, are hereby declared unlawful.”
An unfair practice is one that causes or is likely to cause substantial
injury to consumers which is not reasonably avoidable by the consumers
themselves and is not outweighed by countervailing benefits to
consumers or competition.
Not very specific, but this law has real world consequences for IT
professionals.
InWyndham case, the FTC argued that allowing/not preventing data
breach was an unfair practice and theThird Circuit Court of Appeals
Agreed. FTC v.Wyndham Worldwide Corp., Case No. 14-3514 (3d. Cir
2015).
12. FTCA: Penalties
The FTCA is enforced by the FTC.
If the FTC believes a company is engaging in a deceptive
trade practice, it can obtain a cease and desist order
requiring the company to quit engaging in the deceptive
practice.
Theoretically opens every company that has a data breach
to extensive FTC investigation, regardless of whether a
specific consumer sues.
Company can face penalties of up to $10,000 per violation.
13. Gramm-Leach-Bliley Act
15 U.S.C. § 6801
Applies to all banks and financial institutions.
Enforced by multiple agencies, including the FTC.
Each financial institution has an obligation to respect the
privacy of customers and to protect the security and
confidentiality of those customers’ non-public personal
information.
Financial institutions must insure security and
confidentiality of customer records, protect against
anticipated threats or hazards to the security or integrity of
such records, and protect against unauthorized access to
such records
14. Gramm-Leach-Bliley Act: Penalties
Gramm-Leach-Bliley is enforced by various
bodies having regulatory authority over financial
institutions.
Violations of the Gramm-Leach-Bliley Act can
result in stiff penalties (up to $100,000 per
violation for the financial institution).
Officers and directors may face personal liability,
including fines up to $10,000 and imprisonment.
15. Health Insurance Portability
and Accountability Act (HIPAA)
42 U.S.C. § 1320d
Applies to health plans, health care providers, pharmacists, and
any entity or person that transmits health information in
electronic form.
Requires the Secretary of the Department of Human Services to
establish standards that, among other things, call for certain
security measures to protect individually identifiable health
information.
Companies are required to maintain reasonable and appropriate
administrative, technical, and physical safeguards to ensure the
integrity and confidentiality of such information and protect
against reasonably anticipated threats or hazards to the security
or integrity of the information and unauthorized uses or
disclosures of the information. 42 U.S.C. § 1320d-2(d).
16. HIPAA: Penalties
HIPAA is enforced by the Department of Health and Human
Services and state attorneys general.
Penalties for failing to ensure security and integrity of
individually identifiable health information can range from
$50,000 per occurrence or $1,500,000 per year if there are
multiple violations.
There is also a penalty of up to $50,000 and imprisonment
of up to 1 year for the knowing disclosure of individually
identifiable health information, which goes up to $250,000
and 10 years imprisonment if the disclosure is made under
false pretenses or with intent to sell the information.
17. Health Information Technology for
Economic and Clinical Health Act (HITECH)
The goal is the promotion of health IT.
HITECH extends the privacy and security measures
of HIPAA to “BusinessAssociates” of those entities
covered by HIPAA. A “BusinessAssociate” is an
entity that, for and on behalf of a health care
provider, health plan, etc. creates, receives,
maintains, or transmits protected health information
for a function or activity such as claims processing or
administration, data analysis, utilization review,
quality assurance, billing, benefit management,
practice management, etc.
18. HITECH Cont.
Contains new notification requirement, where
entities covered by HIPAA and Business
Associates are now required to notify each
individual whose information may have been
compromised, and if the breach involves 500 or
more individuals, to notify the media and the
Secretary of Health and Human Services.
HITECH extends the penalty provisions of HIPAA
to Business Associates.
19. Fair Credit Reporting Act
15 U.S.C. § 1681
Requires consumer reporting agencies to adopt reasonable
procedures for meeting needs of commerce for consumer credit,
personnel, insurance, and other information in a manner which is
fair and equitable to the consumer, with regard to the
confidentiality, accuracy, relevancy, and proper utilization of such
information.
A company that fails to comply with this law may be liable for
actual damages plus costs and attorneys’ fees.
This law also imposes a fine of up to $5,000 and/or imprisonment
of up to 1 year on officers and employees who knowingly and
willfully disclose information from the consumer reporting
agency’s files to a person not authorized to receive such
information.
20. Children’s Online Privacy Protection Act (COPPA)
15 U.S.C. § 6501
Applies to websites or online services (Operators)
directed to children under 13 years of age.
Operators must establish and maintain reasonable
procedures to protect the confidentiality, security,
and integrity of data collected from children.
Operators must also take reasonable measures to
ensure that parents receive notice of the operator’s
practices with regard to collection, use, or disclosure
of personal information from children.
21. COPPA: Penalties
COPPA is enforced by the FTC.
A violation of COPPA is treated as an unfair or
deceptive act under the FTCA.
Penalties are governed by the FTCA.
22. Stored Communications Act
18 U.S.C. § 2701
Prohibits an individual from intentionally and
without authorization from accessing stored
electronic communications.
Also prohibits an entity providing an electronic
communication service to the public from knowingly
divulging to any person or entity the contents of an
electronic communication while in electronic storage
by that service or from knowingly divulging any
communication which is carried or maintained on
that service on behalf of, and received by electronic
transmission, a subscriber or customer of such
service.
23. Stored Communications Act:
Penalties
Unlike some of the other statutes we have talked
about, this law gives individuals who are affected by
a violation the right to file a civil action.
Individual may recover actual damages; however,
individual is entitled to at least $1,000 per person so
if actual damages are less, then the aggrieved
individual will get at least $1,000.
Violation of the Stored Communications Act is one
of the claims asserted in one of theAshley Madison
cases filed in Bentonville,Arkansas.
24. Other Potentially Applicable
Federal Laws
Electronic Communications Privacy Act—prohibits interception,
use, disclosure of wire, oral, and electronic communications.
Not out of the realm of possibility that this law could be invoked to
impose liability on company for failing to secure its data system.
Bank Secrecy Act
USA PatriotAct
Bank Secrecy Act and Patriot Act work in conjunction to prevent
money laundering—these laws do not directly address privacy
concerns, but do impose requirements on banks and other
institutions to help prevent money-laundering.
IT provisions apply primarily to financial institutions.
25. State Laws
Ind. Code § 24-4.9-2.2
Requires any database owner to disclose a security
breach to the affected individuals.
If the breach involves more than 1,000 individuals, the
database owner must notify applicable consumer
reporting agencies;
Also requires database owners to implement and
maintain reasonable procedures to protect and
safeguard from unlawful use or disclosure of any personal
information of Indiana residents collected or maintained
by the database owner.
26. State Laws Cont.
Failure to disclose a breach under Ind. Code § 24-4.9-
2-2 is a deceptive act that is punishable by the
attorney general.
Fines of up to $150,000 per deceptive act may be
imposed (Note: in Indiana, a failure to make a
required disclosure in connection with a related
series of breaches of the security of data is
considered one deceptive act.)
In addition to Indiana law, need to be aware of other
state consumer protection laws (i.e., unfair trade
practices and deceptive acts.)
27. Payment Card Industry Data
Security Standards (PSI DSS)
Initiated byVisa and Mastercard in 2001 to
encourage and enhance cardholder data
security and facilitate the broad adoption of
consistent data security measures globally.
Applies to all entities involved in payment
card processing, all entities that store,
process and transmit cardholder data and
sensitive authentication data.
28. PSI DSS: The Standards
PSI DSS Contains 12 Standards:
1. Install and maintain a firewall configuration to protect cardholder data;
2. Do not use vendor-supplied defaults for system passwords and other security parameters;
3. Protect stored cardholder data;
4. Encrypt transmission of cardholder data across open, public networks;
5. Protect all systems against malware and regularly update anti-virus software or programs;
6. Develop and maintain secure systems and applications;
7. Restrict access to cardholder data by business need to know;
8. Identify and authenticate access to system components;
9. Restrict physical access to cardholder data;
10. Track and monitor all access to network resources and cardholder data;
11. Regularly test security systems and processes;
12. Maintain a policy that addresses information security for all personnel.
29. PSI DSS: Enforcement
Most of the major credit card companies incorporate these standards
into their merchant account agreements with various businesses.
Those agreements will spell out the potential exposure for failing to
comply with the PCI DSS; at a minimum, failure to comply may result in
termination of agreement and termination of the merchant’s card
privileges; some agreements also incorporate fines, which may range
from $5,000 to $100,000 per month.
While the PCI DSS are not required under federal law, some states have
incorporated the standards into their state law.
Also note that these standards might be reviewed by a Court to evaluate
whether a company has satisfied its standard of care; this could come up
in lawsuits by individuals whose data was compromised.
30. Federal Information Security Management Act (FISMA)
44 U.S.C. § 3551
Carried out by the Secretary of the Department of Homeland Security. Enacted with
six goals in mind:
Provide a comprehensive framework for ensuring the effectiveness of information
security controls over information resources that support federal operations and
assets;
Recognize highly networked nature of the current Federal computing environment
and provide government-wide management and oversight of the related
information security risks;
Provide for redevelopment and maintenance of minimum controls required to
protect Federal information and information systems;
Provide a mechanism for improved oversight of Federal agency information
security programs, including through automated security tools to continuously
diagnose and improve security;
Acknowledge that commercially developed information security products offer
advanced, dynamic, robust, and effective information security solutions;
Recognize that the selection of specific technical hardware and software
information security solutions should be left to individual agencies from among
commercially developed products.
31. FISMA: Requirements
Requires the head of each federal agency to provide information security
protections commensurate with the risk and magnitude of the harm
resulting from unauthorized access, use, disclosure, disruption, modification,
or destruction of:
Information collected or maintained by or on behalf of the agency;
Information systems used or operated by an agency or by a contractor of an
agency or other organization on behalf of an agency.
Requires the head of each federal agency to comply with the requirements of
FISMA and related policies, procedures, standards, and guidelines.
Requires the head of each federal agency to ensure that information security
management processes are integrated with agency strategic, operational,
and budgetary planning processes.
Contains annual reporting and oversight requirements.
32. FISMA: Penalties
No penalties per se, but the government does
publish each agency’s FISMA results each
year, which has led to public awareness of
deficiencies and ridicule.
There have also been threats by lawmakers to
cut agency budgets if agencies don’t improve
their FISMA scores.
33. Federal Risk and Authorization
Management Program (FEDRAMP)
Not a law but government-wide program that
provides a standardized approach to security
assessment, authorization, and continuous
monitoring for cloud products and services.
FEDRAMP Security Measures are FISMA
compliant.
34. Negligence?
While we have noted some of the important data security
laws in existence, it is important to note that in addition to
regulatory penalties, companies may face lawsuits directly
from the consumers as well.
Most of the cases noted above were based on simple claims
of negligence meaning the company owed a duty to the
customer to protect the confidential information, breached
that duty, and as a result, the customer suffered damages.
Thus, the specific penalties mentioned in the previous laws
we discussed are only a portion of the liability a company
may face for a data security breach.
35. Insurance
General liability policy probably does not cover
data breaches.
However, many major insurance companies such
as Hartford, Liberty Mutual,Travelers, Chubb
Group, andTech Insurance offer data breach
insurance protection.
May be added on as optional coverage to the
business owner’s policy, general liability policy,
or may be offered as a separate policy.
36. Insurance Cont.
Benefits:
Provide access to professionals who can assist with regulatory compliance;
Provide guidance on how to help prevent a data breach;
Assist with handling a breach crisis if one occurs;
Assist with notification of breach;
In most states, coverage is available for defense and liability if a lawsuit is filed;
Offset costs such as investigation costs to determine how breach occurred, credit
monitoring costs, lost business, damage to company reputation, etc.
Cost:
Like any insurance, cost depends on a number of factors—in this arena, factors include
the size of the company, amount of data that is being protected, and the security features
that are in place to protect the data;
According to insurance brokerage, NFP Property & Casualty, average premiums are about
$2,500 per year;
Cost could go as high as $10,000 per month, depending on the company.
37. Takeaways
Data Security is becoming a significant issue
in our technological age and there are a
number of pitfalls that can result in significant
financial loss to unwary companies.
Companies need to be taking measures to
ensure that data is secure.
38. What Can You Do?
Work with lawyers to identify applicable laws
and best practices to ensure compliance with
those laws.
Work with IT professionals to ensure data
security measures incorporate best practices
and are sufficient to comply with applicable
laws.