Review of an Article Where Physical Security Failed

By Stephen Wu

I. Why Worry About Data Security?

Data breaches continue to be an everyday occurrence. Nosotros run into them in the news all the time. The recent Equifax breach is only the latest in a long string of breaches. Competitors, former employees, and state-sponsored groups seek companies' merchandise secrets in social club to eternalize competing businesses. Hacktivist groups seek to damage the reputation of companies past publicizing sensitive information. Organized law-breaking rings seek sensitive information for profit.

The consequences of data alienation liability are becoming apparent. Merchants sued for data breaches are paying staggering amounts to investigate and settle the cases against them. The TJX Companies fix aside $107 million to cover the litigation against information technology and regulatory actions. Heartland Systems set bated $73.3 million for breach expenses in 2009.

Although TJX and Heartland are huge cases, other companies observe (or peradventure fail to discover) smaller security breaches every twenty-four hours. For instance, former employees departing companies commonly misappropriate merchandise secrets and confidential information equally they leave their employment. Security breaches, both big and minor, cost companies real money every twenty-four hour period in investigation and remediation costs, litigation costs, customer anger, reputation losses, loss of competitiveness, and ultimately, loss of revenue and shareholder value.

Two. Business organization Risks

Security breaches harm a visitor'southward business and create financial and legal risks. Starting time, a security alienation involving the loss of trade secrets or confidential information may imperil the time to come of a company's business organization. Companies depend on keeping the new product and services they are developing away from competitors. Client lists are critical to sales efforts. The loss of these key assets jeopardizes a company's power to compete in the market.

Second, the costs involved with responding to a security breach are considerable. Companies responding to breaches may rent computer forensic experts to examine the cause of the alienation and preserve bear witness. They may retain information security firms to close vulnerabilities. In addition, companies may engage public relations and crisis communications experts to deal with consumers and the public to protect their reputation. All of these expenses are in addition to legal fees incurred in the investigation and possible defense of claims brought by consumers against companies that compromised their personal information. For major breaches, the legal fees alone could corporeality to millions of dollars.

Finally, security breaches bear on a company's reputation. Customers may start to feel uncomfortable doing business with a company that apparently did not, before the breach, foreclose the compromise of their sensitive information. The loss of reputation may cause customers to move to competitors or deter potential customers from doing business organization with the company. A reduction in client concern hits the bag with reduced sales revenue and lost profits. Ultimately, the damaged reputation and diminished revenue stemming from a alienation may reduce shareholder value and cause stock cost drops.

3. Different Facets of Information Security Law

What is information security law? Information security law is an emerging area of constabulary focusing on ane of our club'due south most valuable sources of wealth – data. Information security law is naught new. Nonetheless, information security law is "emerging" in the sense that it has arisen largely in the last two decades, every bit opposed to more than traditional areas of law, like real manor, that have been with u.s. since the founding of the United states. Information technology has besides emerged because developments in the police force take been accelerating in recent years.

Returning to the original question, what is information security lawyers? Also, what practice data security lawyers do?

Information security law, or infosec police, is in some ways a new surface area of law. In other ways, it is a new area of practice for law firms and has an industry-specific focus. This article discusses all of the dimensions of data security police.

Information security, as an emerging area of law, includes a number of components. First and foremost, information security lawyers counsel their clients on requirements to keep data and information systems secure. These requirements may stem from public constabulary (statutes and regulations) or individual arrangements made via contracts. Infosec lawyers assistance clients answer the key question: What does my company need to do to comply with infosec requirements under applicable law and contracts?

2nd, infosec law addresses liability that arises from security breaches or defects in security products or services. Parties injured past a security breach may sue to seek damages or an injunction confronting the parties responsible for the breach. When the perpetrators are unable to be found or it isn't worth suing them, injured parties may sue others who supposedly allowed the breach to occur or failed to terminate it. Companies purchasing security products or services may sue their vendors when the products or services don't work as advertised or when they fail to prevent a alienation. Infosec lawyers bring conform on behalf of the injured party or defend these kinds of suits.

Third, infosec constabulary covers secure electronic commerce. Secure electronic commerce answers questions, such as:

• How do parties form contracts online?
• Are online contracts treated the same as paper contracts under the law?
• What must a person or business organization do to authenticate himself, herself, or itself to some other party online?
• What must exist done to tie an private or business to an online transaction and hold that party accountable for it?
• How can you bear witness that a person has agreed to an online transaction: an electronic signature, a secure course of electronic signature, or a digital signature?

Secure electronic commerce systems or programs may, for instance, found a trading customs in which a large organization tin can procure products or services from its vendors. Electronic "commerce" can likewise include due east-regime services. For example, an environmental regulatory agency may found an online presence to accept submissions of environmental reports and disclosures. E-commerce lawyers counsel clients concerning ways to plant secure eastward-commerce systems, the interplay between background constabulary and contracts involved in establishing these systems, and liability concerns arising from e-commerce activities.

In improver to being an surface area of police force, infosec police is also a law exercise. Lawyers from a diverseness of traditional practice areas may work in the data security area. For example, lawyers specializing in government regulatory matters may advise clients on federal or state statutes that impose infosec requirements. Attorneys working in government affairs in Washington or country capitols may become involved in lobbying efforts for or against new infosec legislation, such as the federal breach notification bills. Litigation lawyers are likely to exist the professionals handling disputes arising from security breaches. Finally, members of technology transactions groups are ofttimes the offset lawyers called in to counsel clients seeking to protect sensitive information in IT arrangements or engage in secure eastward-commerce, although technology attorneys with the specialized skills needed to provide in-depth advice have created a distinct sub-specialty within the engineering science transactions umbrella.

Finally, information security lawyers focus on one industry: the information engineering science industry. Some law firms take It law groups whose work includes addressing the specific needs of vendors of information security products and services. Infosec lawyers demand to develop deep IT experience and exposure to clients that depend on IT for their operations and sometimes their entire livelihood. More than recent trends, such every bit cloud computing, pose even greater challenges to the legal community.

Infosec lawyers cultivate contacts amid IT professionals and infosec professionals, in particular. Servicing clients' infosec legal needs is a multi-disciplinary attempt, and lawyers are creating fruitful partnerships and relationships with exterior and in-house technical experts. Lawyers in the infosec field merely cannot perform their jobs solitary. They require considerable assistance from experts with the technical expertise to provide comprehensive communication to clients.

In sum, information security is at once an emerging area of law, an area of practice and an industry focus. As with new areas of the law in the past, attorneys practicing infosec law are those who have experience in allied areas of law and who take IT and infosec technical expertise. The mix of technical and legal issues, the need to work with multi-disciplinary teams, and the novelty of the field challenge infosec lawyers, but make for a fascinating area of the constabulary.

Four. Compliance with Security Laws

Over the years, country, federal, and international data security laws have proliferated. These laws impose security requirements on the businesses and governmental entities that they cover. At get-go, these laws focused on specific sectors of the economy, such as fiscal services, health care, or regime. Later, country legislatures, foreign governments, and international bodies created more general data protection laws that cut broadly across sectors. Some of these laws establish but general requirements, such as the mandate to protect certain kinds of data with "reasonable security." Others provide a much more detailed set of requirements, some that fifty-fifty relate to the use of specific technologies, such equally encryption.

Nigh security-related laws mandate the implementation of security controls to protect security-sensitive information. Other laws, however, create business opportunities if companies adopt security technologies.

A. Sarbanes-Oxley Human action

Congress enacted the Sarbanes-Oxley Act (SOX) to comprehend publicly traded corporations and accost financial scandals, such every bit Enron and WorldCom. SOX addresses fraud in the finance departments of public companies by requiring that public companies establish reliable "internal controls" for gathering, processing, and reporting financial information with the ultimate goal of ensuring accurate reporting of public companies' finances for the benefit of investors. While SOX and its regulations do not directly require specific information security controls, auditors and leading organizations accept created guidance documents to define internal controls, and some of the guidelines address information security controls equally a foundation for creating potent internal controls.

B. Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA) loosens certain regulations on the financial services industry. However, it contains privacy and security requirements on fiscal institutions, which GLBA defines broadly. GLBA and regulations under it call for financial institutions to protect the privacy of its customers and to protect the security and confidentiality of their customers' nonpublic personal information.

C. Federal Information Security Management Act

Congress passed the Federal Information Security Management Deed (FISMA) to promote the security of federal agency data systems. FISMA requires that agencies create and implement security programs and written report the results of these programs to the Office of Management and Budget, which reports the results to Congress. The National Establish of Standards and Technology (NIST) provides guidance with publications containing specific technology controls and standards for agencies to implement and meet.

D. Fair and Accurate Credit Transactions Act/Red Flags Rule

The Fair and Accurate Credit Transactions Act (FACTA) helps to reduce consumer risks associated with identity theft. Under FACTA, the Federal Merchandise Committee (FTC) and other agencies promulgated what are known equally the "Blood-red Flags Rules," which covers financial institutions and creditors that concur consumer accounts. Covered entities must create an Identity Theft Prevention Program for combatting identity theft, which include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. These policies and procedures should include information security controls.

Eastward. Health Insurance Portability and Accountability Human activity

The Health Insurance Portability and Accountability Act (HIPAA), among other things, helps workers by protecting the portability of their health coverage. However, HIPAA contains administrative simplification provisions promoting electronic health transactions and protecting the privacy and security of health data as it is processed in these transactions. Under HIPAA, the Department of Health and Human Services enacted comprehensive and broad privacy rules and security rules, which call for specific security controls. The Wellness Information Technology for Economical and Clinical Health Act (HITECH Human activity) within the American Recovery and Reinvestment Human activity of 2009, too as final HIPAA/HITECH regulations issued in 2013, expanded the scope of the HIPAA Security Rule and included new alienation notification requirements regarding the compromise of health information.

F. California Confidentiality of Medical Information Human action and Other State Privacy Laws

The California Confidentiality of Medical Information Human activity and other California laws prohibit healthcare providers from disclosing patient records without authorization. Moreover, other California laws prohibit healthcare workers from "snooping" in patient records, which were enacted after high-profile security breaches resulting from hospital workers looking at celebrities' records. Newer legislation requires healthcare providers to protect the integrity of medical records and log access to them.

G. California SB 1386 and AB 1950

California was the first land to enact a breach notification law, SB 1386, requiring businesses and country agencies to notify affected California residences whose personal information was compromised. SB 1386 covers personal information in the form of a driver's license/California ID card number, social security number, or fiscal account number (with admission code) in combination with a concluding name and first proper name or initial, every bit well as medical records. The law covers businesses that ain or license such personal information. SB 1386 requires them to notify California residences whose unencrypted personal information was or is reasonably believed to accept been, acquired by unauthorized person.

California's AB 1950 covers the same category of businesses and personal data. Nether AB 1950, covered entities must implement reasonable security procedures and practices to protect personal information against unauthorized admission, destruction, utilize, modification, or disclosure. AB 1950 does not telephone call for specific security controls.

Other states and nations take laws or guidelines similar to both SB 1386 and AB 1950.

H. Land Consumer Protection Laws

California has three laws commonly used in consumer claims against product and service providers. Commencement, California'southward Unfair Competition Law (UCL) strikes at "unfair contest," including unfair and deceptive trade practices. The UCL appears at Business & Professions Code Section 17200 and following sections. 2nd, California's False Advertising Law prohibits making untrue or misleading advertising statements. Finally, the California Consumers Legal Remedies Act prohibits specific categories of unfair and deceptive trade practices.

I. Cybercrime Laws

Federal and land cybercrime laws prohibit, among other things, gaining unauthorized access to calculator systems, damaging computer systems, or spreading malware. The federal Computer Fraud and Abuse Act is a criminal statute. It creates a individual right of activeness for victims of sure categories of cybercrimes. While these laws do not establish security requirements per se, they may get relevant to the bear of company personnel. Companies should railroad train and supervise their employees to forestall them from violating these laws in developing products, delivering services, or the acquit of their business.

J. EU Full general Information Protection Regulation

In May 2018, companies collecting and processing personal data from citizens of the European Matrimony and European Economic Area (the Eu plus Republic of iceland, Liechtenstein, and Kingdom of norway) volition demand to comply with the EUP General Data Protection Regulation or "GDPR" for brusk. The GDPR is a police force that recognizes the fundamental rights of individuals (called "data subjects") to certain privacy rights. Every bit a regulation, the police force imposes a uniform framework of privacy requirements on the member states of the European Wedlock and the European Economic Surface area.

GDPR covers a wide diverseness of "personal data." "Personal data" means whatever information relating to an identified or identifiable natural person, including only not limited to names, health information, financial information, e-mail addresses, and even IP addresses, phone numbers, and device identifiers.

Businesses in the United States that take a European presence or are cultivating a client base of operations in Europe are potentially covered. In addition to certain privacy protections, Article 32 of GDPR requires companies collecting personal data ("controllers") and data processors working on behalf of controllers to implement security controls. Controllers and processors must implement appropriate technical and organizational measures to ensure a level of security advisable to the gamble, including ensuring the confidentiality, integrity, availability, and resilience of processing systems and services.

Five. Liability Risks

When high-profile security breaches cause the loss of consumer personal information, lawsuits often follow. In fact, in the Sony PlayStation security alienation, lawyers filed a form action against the company nine days after the breach occurred. If your visitor holds consumer personal information, a class action confronting your company is a significant take a chance if a data breach occurs.

Plaintiffs have asserted a number of claims against companies that accept experienced data breaches. First, they oftentimes assert negligence claims against the accused companies. Typically, plaintiffs claim the company had a duty to protect the security of personal information, the visitor failed to exercise reasonable care to protect that data, a breach occurred as a result, and the breach caused the plaintiffs damage.

Second, plaintiffs may assert a breach of contract claim against the company striking by the breach. They may point to limited promises of security or claim an unsaid contractual duty to protect information. They then contend that the compromise in security constituted a breach of the contract between the company experiencing the alienation and its consumer customers.

Finally, plaintiffs may assert statutory claims confronting the visitor based on laws against unfair and deceptive trade practices or laws confronting false advertising. They may contend that inadequate security is an unfair trade practice, misleads consumers (perhaps because of advertised assurances of security), or is illegal under information security laws. The violations may entitle consumers impacted by the breach to a refund of their payments to the company. In addition, the FTC may bring an enforcement action confronting a company experiencing a breach for these same reasons.

Companies may too face up data security liability for alleged privacy violations or past failing to supervise their employees. If companies roll out products or services that allegedly violate consumer privacy by accessing their applications or devices without permission, they may be sued for violating cybercrime laws. In improver, if rouge employees within companies gain unauthorized access to competitors' figurer systems to uncover business intelligence, they may face up cybercrime claims based on the unauthorized admission.

VI. How to Prevent Breaches?

Preventing data breaches requires a combination of approaches to manage people, processes, and technologies to implement robust security controls. This department addresses the security controls that can aid you minimize the gamble of security breaches. It is impossible to prevent all data breaches, and it would exist cost-prohibitive to try. Yet, each organization will need to conduct its own risk direction process to settle on a balance betwixt implementing controls to minimize the risk of breaches and the time, try, and coin needed to implement such controls.

This section refers to a business covered by a security policy equally the "Covered Entity."

A. Administrative Controls

Administrative safeguards are the non-technical, "soft" measures that management establishes regarding acceptable employee conduct, personnel procedures, and correct engineering usage within the enterprise.

one. Gamble Analysis and Management

Take a chance analysis consists of four components:

1. Asset identification and valuation
2. Threat identification
3. Vulnerability identification
4. Gamble identification.

2. Asset Identification and Valuation

The term "assets" refers to items of value to the Covered Entity, which includes (amid other things) figurer hardware, mobile devices, software, records, and other information. Nugget identification and valuation involves listing avails to be considered within the scope of the risk assessment. Once identified, the Covered Entity needs to assign the appropriate value to each asset, which tin can be budgetary or simply a qualitative measure out of the asset's value (e.g., high, medium, or low).

3. Threat Identification

A threat is a negative result that has the potential to damage an nugget that is vulnerable to such a threat. Information security threats compromise the confidentiality, integrity, or availability of information. Threats may exist intentional, such as a hacker attempting to suspension into a network. Additionally, threats may also be inadvertent, such as the mistyping of an electronic mail accost, which may be attributable to natural human carelessness or fatigue. Threats may extend beyond human conduct, whether intentional or non, to natural or physical phenomena. For instance, hurricanes and earthquakes pose threats to the availability of information when they strike information centers and the equipment operating in them.

iv. Vulnerability Identification

A vulnerability is a weakness in an asset that allows a threat to damage that asset. This weakness can stalk from the lack of a control designed to protect the nugget, a weakness in the control, or in a feature of the asset itself. Threats take the potential of exploiting these weaknesses to damage the confidentiality, integrity, or availability of the asset. Because vulnerabilities only exist in the context of a threat, the Covered Entity must carefully consider which threats are relevant to them when assessing the vulnerability of an asset to a particular threat.

5. Risk Identification

The adventure identification step analyzes risk based on the likelihood that a threat will exploit a vulnerability and the impact that event would take on the vulnerable asset. The Covered Entity tin use existing questionnaires, interviews with experts, past history and other ways to determine the risks the organisation may encounter. The Covered Entity should document potential risk elements as part of its hazard direction process. High risks are those involving threats that occur frequently and/or exploit vulnerabilities of high-value assets. Low risks are those where a small vulnerability may betrayal a depression-value nugget to unlikely or infrequent compromise or loss. Fifty-fifty when the take a chance identification footstep is completed, there is a remaining "unidentified gamble."

Chance Management describes the continuous, iterative process of:

1. Analyzing changes to the Covered Entity's environment, including such factors as: (i) implementation of new technology and associated vulnerabilities; (ii) developments in new threat technology; (iii) changes to organizational structure and business goals; and (four) changes in regulations.
2. Measuring and prioritizing risks and corresponding mitigation measures and incorporating them into a Run a risk Management Programme.
3. Implementing those mitigation measures defined in the Take a chance Direction Plan.

The Take a chance Management Plan should address how a take a chance is to be managed to an adequate level. Risks may be prioritized on the basis of degree of risk, magnitude of harm that a threat could crusade, the price to mitigate a vulnerability, business goals and disquisitional needs, and expected effectiveness of mitigation measures.

half-dozen. Security Direction Office

A Covered Entity should have a person in charge of the information security part at the company. For purposes of accountability, that one person should exist accountable to senior management and ultimately the lath of directors or equivalent. If the Covered Entity does not have such a person, then the security function is scattered, multiple people may attempt to shift responsibleness among themselves, and disquisitional security tasks may fall through the cracks. Frequently, management assigns security oversight in a visitor to a Chief Data Security Officer.

7. Hiring/Supervising/Terminating Workers/Single-user Accounts/Accountability

People are the weakest link in any security programme. To address this vulnerability, the Covered Entity must institute policies, procedures, and standards for ensuring that the security chance of the workforce itself is managed. Those workers without the need to admission should not exist given access rights, and workers without explicit access rights should be denied access to security-sensitive information. To comply with these authoritative safeguards, the Covered Entity, through administrative procedures, should implement the post-obit iii procedures:

• Authority and/or supervision (granting access privileges and supervising workers' access to security-sensitive information),
• Workforce clearance process (managing the hiring and HR policies of the Covered Entity to ensure that it fills roles with trustworthy and competent personnel), and
• Termination procedures (revoking access privileges and obtaining the return of devices, media, and security-sensitive data).

viii. Access Management

These administrative procedures govern how Covered Entities grant access privileges for applications, workstations, and security-sensitive information to authorized people in the arrangement. When determining who in the organization should access systems, programs, databases, or other intermediaries to security-sensitive information, management should consider policies that limit access to the minimum number of people and minimum extent necessary for employees to perform their chore. Granting privileges that exceed the minimum required for proper job performance can add gamble to the security and privacy of sensitive information.

9. Security Awareness and Training

People cannot perform their duties securely unless they are familiar with the entity's security policies and procedures. Awareness allows employees to grasp the importance of security and its role in protecting privacy. Training focuses on how to utilize the security features and maintain a secure information-processing surroundings.

1. Reminders: training and sensation are continuous, not one-time events. The Covered Entity must have an ongoing, periodic security awareness and grooming program. Its goal should be to keep staff updated on the latest risks and threats the organisation is facing, every bit well any changes in the Covered Entity's security programs.

2. Malware/Social Engineering:The system must have a policy and procedure on how it volition protect itself from malicious software and phishing attacks. Malicious software tin be any code that affects the confidentiality, integrity, and availability of security-sensitive information. Examples of malicious software include viruses, worms, and Trojan Horses. Well-nigh recently, companies accept been victimized by numerous "ransomware" attacks in which malicious software encrypts a company's data and attackers demand a ransom to decrypt the information.

   Software can enter the environment from many sources including email, USB drives and other media, employee-installed software, and websites. Phishing attacks involve sending messages to people to get them to sign into phony sites and disclose their login credentials, which can exist harvested and used for impersonation, identity theft, and other malicious purposes.

3. Log-in Monitoring: the Covered Entity should have appropriate procedures for monitoring attempts to log into systems or applications that contain or can access security-sensitive information and for reporting anomalous events. Examples of these events include:

   • Unusual times for a workstation to be active or logged in (such as well later on concern hours or during an employee's off fourth dimension), which may signal an employee may be trying to get protected information outside of the scrutiny of his/her supervisor, or an attacker may exist attempting to gain unauthorized access.
   • Unusually loftier numbers of failed login attempts (which might indicate that an attacker is trying to log in, does not know the password, but is attempting to approximate the password).
4. Password/Credential Management

Covered Entities can train their personnel to choose and maintain secure passwords used for access control to systems and information. Passwords may have security standards themselves such equally:

• Minimum length.
• Complication (e.g., required numeric and not-alphabetical characters, lower and upper case letters, etc.).
• Difficulty of guessing (eastward.g., avoidance of dictionary words, maiden names, pets' names, spouse'due south name, etc.).
• Minimum and maximum usage time dictating when they must be inverse.

Password management and countersign confidentiality policies and procedures directly touch the security of the accessed system or awarding.

If the Covered Entity uses authentication methods other than passwords, such equally smart cards or other hardware tokens, it should have policies and procedures for issuing, managing, and revoking credentials associated with such devices.

x. Incident Response and Handling

The Covered Entity should train all personnel to exist aware of events that may show a security incident took place. It should also institute mechanisms and procedures for reporting such incidents equally potential security incidents, and procedures for investigating and responding to such incidents.

As a response to incidents, Covered Entities must take steps to mitigate the upshot of incidents. Mitigation may take the form of closing a vulnerability that caused the incident, retrieving data that was lost or misappropriated, implementing a new security safeguard, or strengthening an existing safeguard.

In any event, Covered Entities should document incident reporting and handling to make a record of what happened, aid in managing time to come efforts to respond to the incident, and facilitate remedial deportment to prevent similar incidents in the hereafter.

11. Backup/Disaster Recovery/Business concern Continuity

Data fill-in planning and execution involves more than occasionally making a copy of security-sensitive information and storing information technology somewhere. Backup planning and implementation should be a formal process that includes planning for:

• Backup frequency and maximum commanded data loss. The backup frequency (e.g., once per week, once per day, once per hour) and the location of the backup media determine the maximum commanded data loss (the corporeality of information that wasn't backed up, merely at present due to the emergency or other incident, is non retrievable).
• Maximum time to restore. This metric determines how long it will take to move the fill-in re-create into service. Different methods of storage – tape, optical disk, etc. – require unlike amounts of time to restore.

Backups need the same security protection as data receives in its primary (product) systems for normal use. Fill-in policies and procedures must be subject to the aforementioned management controls every bit the production services.

12. Cess

No policy or procedure lasts forever. Management should ensure that policies and procedures are kept current with prevailing security threats, information system vulnerabilities, and security and privacy risks. Management should identify the policy and procedure evaluation frequency (such as once per twelvemonth, etc.) and document it in the Covered Entity's security policies and procedures. Covered Entities demand to maintain version command of all policies and procedures. All personnel and advisors should be working with the well-nigh recent version of a policy or process.

xiii. Third-Party Supervision

Today, outsourcers and vendors perform many key roles for Covered Entities. When performing these functions, they volition likely take access to security-sensitive information. Covered Entities should put into place appropriate agreements to require that tertiary-party service providers protect the security of such data. Agreements should identify the information that needs to be protected, require assurances of security, incorporate a mechanism to appraise compliance, require notification if a security breach occurs, and impose consequences in the issue of a alienation.

B. Concrete Safeguards

Physical safeguards consist of the business organization policies, procedures, and recordkeeping required to protect a Covered Entity's physical facilities and equipment that contain security-sensitive data against specified hazards.

one. Facility Planning

Function of planning for concrete safeguards involves protecting information systems from physical intrusions, such as break-ins, and from workers with legitimate access to some facilities seeking to proceeds unauthorized admission to facilities to which they have no access privileges. A Covered Entity should have documented and implemented policies and procedures to limit who has physical access to data systems, such as who has the ability to touch the information arrangement component's keyboard, to look at its screens, to access servers, or to take a laptop out of the workplace and into the home or car.

Data center construction involves circuitous planning to protect sensitive systems in high-security zones. Information security professionals speak of protecting sensitive systems with multiple physical security tiers. A tier is a self-independent protected surface area that cannot be accessed from outside without entering through an opening to which access is controlled, for example a locked door. High security zones are protected by multiple tiers of physical security.

Considering information systems are increasingly mobile, the physical premises, interior, and exterior of a building that contains sensitive information could include an employee's habitation or other construction outside the general intuitive pregnant of a workplace building. Thus, the concept of a controlled facility may extend into these non-traditional areas. The Covered Entity must consider the touch on of physical security beyond its entire extended facility.

2. Workstation/Mobile Device Use Policies and Procedures/BYOD

The mobile revolution has engulfed the business organization world. People are increasingly using tablet computers, smart phones, and other mobile devices to perform concern-disquisitional functions. At the same fourth dimension, people still utilise PCs for much of the intensive piece of work they practise, such as writing lengthy reports, doing work that requires the employ of big displays, or running processor-intensive applications. Theft and loss of mobile devices and laptops are nevertheless leading causes of data breaches. Office suspension-ins show that even desktop PCs and servers are vulnerable to theft. Both computers and mobile devices require protection, and the Covered Entity should have policies and procedures in place to prevent the accidental loss and theft of computing devices.

In add-on, companies are increasingly embracing "bring your own device" (BYOD) – a policy that permits workers to choose the mobile device they desire to perform work functions. Companies may pay for such devices, may subsidize the cost, or may simply crave employees to bear the cost of such devices. BYOD advocates tout the policy'south ability to increase worker productivity and acceptance, since they are using devices they similar and feel most comfortable with. Companies that shift some or all of the toll of devices on employees may see savings.

On the other hand, BYOD policies have their own set of security and privacy challenges that companies must consider before adopting them. For example, among other things, companies must have policies, procedures, and technology to secure company information stored on information technology, ensure that mobile devices do not innovate malware into the company's systems, ensure that they see company security standards, register the devices, control access to visitor networks when workers are using them, and ensure that they accept access to such devices in the event of an ediscovery asking or upon termination of the worker.

3. Physical Safeguards Around Workstations

Workstation security involves the Covered Entity assessing and managing the risk of what work is existence done and where. Administrative and technical safeguards may exist taken into account when a Covered Entity determines the overall risk to information security that a particular location poses. The use of partitions, and the layout of workstation may reduce the take a chance of unauthorized viewing of information on screens. Locks may prevent visitors from taking devices from the workstation area.

Stiff authentication, encryption, and software admission controls, for case, may mitigate risks of poor concrete security. Laptops and other mobile devices ofttimes contain these kinds of technical safeguards to mitigate risks to confidentiality.

four. Inventory and Media Command and Disposal

The Covered Entity should inventory and runway the devices under its control. A failure to know what devices information technology has could allow personnel or persons outside the Covered Entity to take devices without authorization and without detection. An updated inventory allows the Covered Entity to notice if devices are missing and to investigate any discrepancies.

The Covered Entity should have policies and procedures to ensure that security-sensitive information located on hardware or electronic media is in fact destroyed prior to its disposal. "Disposing" tin include reusing a piece of hardware for applications that exercise not crave access to security-sensitive information. All security-sensitive information should be erased earlier reuse or disposal. When erasure is impractical, every bit in the case of a CD-ROM, the Covered Entity should physically destroy the electronic media.

One particular threat is the reuse or disposal of a workstation or laptop that previously stored or processed security-sensitive information. Unproblematic file deletion generally does not permanently erase the information, and many utilities tin easily recover these files. The Covered Entity should utilize a secure data destruction methodology to cleanse any storage media before reusing it.

C. Technical Safeguards

Technical safeguards are security controls protecting security-sensitive data that are carried out via technology or managed by technology. Security hardware and software enable the Covered Entity to implement such controls. Among other things, technical safeguards foreclose unauthorized access to security-sensitive information, protect confronting malware, provide audit trails for investigation or assessments, and forestall corruption or tampering with systems.

one. Access Command Technology

Access control systems should identify, authenticate, and authorize people and processes, implement a method of mediating access to information based upon the authenticated entity'due south authorization, and log data accesses for after review. The Covered Entity should prepare policies and procedures on how information technology manages access control to security-sensitive information. These policies and procedures should include controls to ensure:

• Every user is uniquely identified and authenticated.
• User activity is logged.
• Access controls are in identify and are effective (eastward.g., security-sensitive information is kept secure and/or encrypted to ensure its confidentiality).

In addition, the Covered Entity should accept systems to prevent unauthorized admission to systems containing security-sensitive information (e.g., firewalls) and observe intrusions (e.g., intrusion detection systems).

2. Patching/Updates

Covered Entities should have systems for regularly updating organisation and application software. Software manufacturers regularly issue patches and software updates to address security vulnerabilities and improve the ability of the software to resist attacks. Keeping software up-to-date volition lower the chance of exploits and malware. The recent Equifax breach manifestly stemmed from the company's failure to update software to address a known vulnerability.

iii. Logging

Covered Entities should have a technical method for logging user and system activeness and a method, automated or procedural, for examining that activity log old in the future. The overall intent of this requirement is to give the Covered Entity a means of monitoring user access to security-sensitive information and to hold users answerable for their access behavior. Logs of car processes assist in monitoring the status of systems, and may assist in investigations of malicious activity, as well as possible abuse or software errors.

4. Integrity Controls

Covered Entities should use applied science to prevent, or at to the lowest degree detect, improper data alteration and devastation from causes such as:

• Equipment failure.
• User accidents.
• Malicious user acts.

Technologies like redundant arrays of cheap deejay (RAID), error-correcting memory, and fault tolerant (clustered systems) already be to reduce chance of data amending or loss from equipment failure. Well-designed user interfaces to databases and applications tin can reduce adventitious data alteration or loss. Digital signature engineering science assists in identifying and preventing malicious user data manipulation or corruption.

5. Authentication

Authentication technology permits a Covered Entity to know that an authorized person, entity, or procedure is gaining access to information or systems. Systems commonly use passwords, tokens, biometrics, or dial-dorsum techniques to verify an individual'southward or entity's identity. Covered Entities frequently use these authentication technologies to control access to security-sensitive information.

half dozen. Transmission Security/Wireless Security

Covered Entities should protect security-sensitive information while it is in transit over a network, such equally office wireless networks or the Net. Security threats addressed include:

• Eavesdropping – An unauthorized person "listens" in on an unprotected or open up network carrying security-sensitive information.
• Data modification – Interception and surreptitious modification of security-sensitive information by an intruder in a way that the recipient cannot discover.

The Covered Entity should protect data while in transit commensurate with the manual security risks and their associated mitigation costs.

vii. Encryption

The Covered Entity should evaluate and decide whether to encrypt some or all of its security-sensitive data while information technology is at rest in storage or transmitted over networks. Considerations going into this conclusion include:

• The recipients' power to receive and decrypt an encrypted message.
• The sensitivity of the transmitted data.
• The potential impacts of unauthorized disclosure.
• The costs of implementing, managing, and operating the encryption system.
• The vulnerabilities of storage, the network, and overall surround.

D. Robust Policies, Procedures, Standards and Documentation

Covered Entities should maintain robust documentation relating to their security programs. Common types of documentation include:

• Policies – Management's documented statement of intent.
• Standards – Policy-mandated technical measures the Covered Entity will apply to solve specific bug. Standards oft specify the appropriate employ of technology.
• Guidelines – Suggested, usually strongly suggested, beliefs recommendations that unremarkably will be followed.
• Procedures – Documented methods for implementing mandated processes.

Policies are more full general than other forms of documentation, while procedures are the almost specific grade of documentation. Standards and guidelines are in betwixt. Documentation also includes security-related records, such as risk assessments, run a risk direction decision-making, and records of investigations.

VII. Incident Response Steps: What Happens When There is a Breach?

Imagine for a moment that you believe your company may have experienced a information alienation. In other words, your security company has detected or has been notified of some effect. What exercise you lot do now?

Beginning, take a deep breath. It is important to recollect clearly and not react instantly based on gut feelings and instinct.

Adjacent, if you lot've done accelerate planning, y'all volition have a breach response programme ready to go. It is a matter of executing the plan that you have already created. Initial steps include notification to your breach response team. Depending on the nature of the breach, team members include senior executives from the legal, Information technology, security, HR, marketing, and finance departments. Initial meetings tin can focus on the nature of the events, the initial take on what happened, understanding the severity of the incident, and identifying affected external parties or participants in the event.

Following initial meetings, the initial days of a breach response include an internal investigation to determine the facts and circumstances surrounding the apparent breach. What really happened? Information begins streaming in, and it may or may not prove that a breach occurred. If it is clear that a alienation occurred, it might not be clear how information technology happened, who was responsible, and whether it is still ongoing. The internal investigation stage is to find answers to all of these questions.

At the same time the internal investigation is starting, internal Information technology, security, and perhaps external forensic experts should be analyzing systems to make up one's mind the best course of action to forestall further exploitation of the breach, minimize the damage from the breach, determine the source and scope of the assail, exit open up the possibility of a law enforcement investigation, discover and find evidence of the attacker, and preserve evidence needed for later legal proceedings, including both defensive and offensive actions. It may not exist possible to run into all of these goals. Accordingly, the visitor may demand to decide on the priority of these goals.

During this initial phase, the company should also consider notifying law enforcement. Collaborating with law enforcement has plusses and minuses across the scope of this paper. One important plus for involving law enforcement, however, is that fact that under many states' alienation notification laws, a visitor may filibuster in making required alienation notifications if law enforcement believes that such delay is of import for its investigation of the breach. Accordingly, working with law enforcement may buy the company some time when it comes to making decisions about the demand for, or the timing of, breach notifications.

While the internal investigation is getting underway, the legal squad tin can determine the legal posture of the visitor in calorie-free of the breach. The legal squad should consider implementing a litigation hold and its scope, as well as taking steps to preserve evidence relevant to possible litigation. It should also commencement analyzing possible claims that parties could assert confronting the company, or possible claims that the company has against others, arising from the apparent breach.

Keep in mind that if investigations may show that the visitor had vulnerabilities, the company may desire to have exterior counsel rent the computer forensic experts investigating the alienation. Hiring experts in this style makes them an extension of outside counsel. Communications betwixt the visitor and such experts tin can be protected by the attorney-client privilege. Thus, when the visitor is discussing vulnerabilities and weaknesses in systems or other information that may tend to indicate liability, it can protect such discussions with the privilege.

Upon the completion of an initial internal investigation, the company should develop enough information to make up one's mind if a breach notification is necessary and if it is, whom the visitor should notify. Unlike jurisdictions have different triggers for notifications, and it is of import to analyze their unlike laws to determine whether notification is needed. If notifications are required, then the visitor should determine the timing, and begin drafting the notices for review and approval by the team. In one case approved, the company should ship notices out equally speedily as possible.

In preparing the notices, the company should account for requirements near the content of the notices. Information technology should too take into account those jurisdictions requiring notification to the attorney general or other entities, in addition to the affected individuals. Finally, it should be aware of possible culling means of discover under certain state laws, in example these means are the only way to inform some of the affected individuals.

Once an investigation is completed and law enforcement has wrapped upwards its investigation, the company tin modify systems, close vulnerabilities, and remediate issues uncovered past the investigation. The idea hither is to forestall the attackers from making boosted attacks or exploiting the current breach. In addition, these steps will hopefully preclude future breaches by others.

Post-obit the remediation phase, the visitor can and so "close the loop" and undertake steps to evaluate what happened and make changes to prevent future breaches. For example, post-breach assay is a good time to reconsider the controls in the company'south security plan to make changes and upgrades to minimize the risk of future breaches. The company may wish to make changes in its security policies, its procedures, technical standards, training programs, supporting guidelines, or engineering science.

In addition, the visitor may desire to undertake a new risk cess to provide an updated view of the company'due south security posture. A adventure assessment is a fundamental tool to determine what risks exist, which risks to mitigate, which risks information technology makes sense to shift (east.g., through insurance or indemnities), and which risks to take.

Upon completion of these steps, the visitor should implement changes to procedures, standards, grooming, guidelines, and engineering science based on the data developed in this phase. At the cease of this process, the company will hopefully be in a better position to deter, detect, and preclude security breaches.

Eight. Secure Electronic Commerce Systems

How does a company behave electronic commerce in a secure manner? In creating secure ecommerce systems, a company may seek to take advantage of the Cyberspace to open new markets and facilitate paperless transactions at Internet speed. At the same time, companies desire to enter into enforceable transactions and impose limitations of liability, disclaimers, and other critical terms on their customers or vendors. How tin a company ready an ecommerce organization to meet all of these goals?

Your company may use technologies such as digital signatures, supported by digital certificates or their equivalent, to authenticate contracting parties, facilitate the encryption of transactional information to protect its confidentiality, and tie contracting parties to your terms of service or other agreements. Other technologies provide similar assurances of security, although mayhap not as effectively equally digital signatures and digital certificates.

Establishing secure electronic commerce systems involves making employ of security technology, supported past procedures and training, to facilitate online transactions. The systems of the visitor and vendors providing the technology or supporting services will demand to implement many of the security controls discussed above. Implementing such controls volition enable the company to create a credible secure ecommerce system, whose security can be demonstrated to customers, vendors, and other stakeholders through security audits, assessments, and related attestations.

IX. Conclusions

With the ever-increasing number of attacks from competitors, former employees, hacktivists, land actors, and organized crime, companies belongings sensitive data face escalating challenges to secure their systems, comply with security laws, protect the value of their sensitive customer information and intellectual property, and minimize their liabilities. Information breaches pose considerable risks to companies. Nonetheless, companies have tools at their disposal to manage the risks of data breaches. Moreover, if they accept the right steps, they can recover from information breaches and increment the security of their organizations.

To detect out more well-nigh how your company tin reduce the risks of information security breaches, or respond to an ongoing breach, please contact Stephen Wu, (408) 573-5737.

freemanbacte1996.blogspot.com

Source: https://www.svlg.com/data-security-breaches-a-legal-guide-to-prevention-and-incident.html

Share this post