This article can also be found in the Premium Editorial Download "Information Security magazine: Defense-in-Depth: Securing the network from the perimeter to the core."
Download it now to read this article plus other related content.
You're the CISO of a mid- to large-sized consumer products company. On an otherwise uneventful Monday morning, one of your managers informs you that a file server containing customer information was left logged in all weekend, and several unescorted strangers were in the building on Saturday. A disgruntled employee who quit on Friday also came in over the weekend to get his stuff. Would you take it upon yourself to make sure that each customer is notified of the potential security problem? Probably not, though you might want to take an aspirin or two.
If you're a brokerage house in New York whose hacked database sits in Connecticut, you must notify your California customers if their financial data was stored in that database.
If your company does business in California, though, that's about to change. California's new privacy law (SB 1386), which goes into effect July 1, requires any company that conducts business in California and owns or licenses computerized personal data to notify California residents of any actual or suspected security breach that compromises the "security, confidentiality or integrity" of that information. The breach can occur anywhere. For example, if you're a brokerage house in New York whose hacked database sits in Connecticut, you must notify your California customers if their financial data was stored in that database.
Although the law applies only to unencrypted data, the potential ramifications are significant.
The law's vague terminology leaves much open to interpretation and may make enforcement difficult. For example, what constitutes "reasonable belief" that personal information was acquired by an "unauthorized person"? What is "unauthorized acquisition" of personal data? What about unauthorized acquisition by an authorized person?
For that matter, what is "unencrypted," or, more importantly, what constitutes "encrypted"?
Without a history of case law, there are no easy answers. One thing is certain: You don't want your company to be among the law's first test cases. If you meet the criteria, the cost of notification alone could be huge.
There's more. The law gives Californians the right to file civil suit if their personal information is stolen. So, in addition to the cost of notification, your company could face significant exposure from litigation, and could even be shut down by an injunction if the statute is violated.
Before our hypothetical CISO jumps the gun and starts notifying customers, he should pause to investigate. He should have mechanisms in place to determine if the system has actually been compromised. At a bare minimum, he should ask whether there was any indication that the server had been accessed. Did the server have a password-protected screen saver? Were any of the records encrypted? Is there an access control system? Had the time/date stamp been modified on any of the files containing personal information? If your company doesn't have the forensics tools or skill sets in house to even determine if there was a breach, it's high time it did.
This process of discovery emphasizes the need to consider stronger protection of personal information. Data encryption would be the ideal route, since that's the "safe harbor" under the California law. In fact, several startup vendors have recently brought to market high-performance data encryption appliances to protect huge stores of critical and sensitive information.
Encrypting personal data isn't your only option. Identify databases that contain personal Information--and monitor their logs diligently. And incorporate the new law into your incident response plan.
Overkill? Perhaps, but the California act isn't the only privacy law of this type. Several states are considering similar legislation, along with a bill to be introduced by U.S. Sen. Diane Feinstein (D-Calif.), which is patterned after the California law. You and other CISOs face the prospect of trying to maneuver your way through some potentially very different (and possibly conflicting) privacy laws.
With all its ambiguities, however, the California law recognizes the importance of information security and attempts to impose accountability for security breaches that lead to exposure of personal information. The net result should be to force companies to follow best practices. Nevertheless, as a CISO who has to deal with them, you may want to reach for that aspirin now.
Randy Sabett, CISSP, is an attorney with Cooley Godward LLP in Reston, Va., and co-vice chair of the American Bar Association's Information Security Committee.
This was first published in June 2003