Slide 1

Download Report

Transcript Slide 1

Protecting Data On The Move

Scott Spiker

Enterprise Account Executive - NorCal

1

Agenda:

• The Evolution of Data • Regulation Complexity • Dealing with Data Loss • Strategic Planning • Q&A

2

Evolution of Data

• Protect your vital data • Your data is no longer confined to the 4 walls of your organization • Desktop, Laptop, Server, Mobile, USB Drive, Email, Cloud Storage, SMS, Chat, Social…..

3

Evolution of Data

• Collision of data points and employee efficiencies ○ More data, more access • Post Recession Workplace ○ ○ ○ Do more with less Distributed workforce Increased collaboration

4

Regulation Complexity

 State Privacy & Disclosure laws  HIPAA/HITECH (medical)  PCI-DSS (credit card)  FERPA (education)  FISMA (federal)  GLBA (finance)  SOX (corporate auditing) The good news is the holes in the armor are defined

5

CA Data Breach Act : SB 1386 Standards for The Protection of Person

Designed to ensure that Californians are alerted whenever their personal information may have been compromised.

The law went into effect July 1, 2003. Essentially, any organization with a customer or employee residing in the state of California is affected.

Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

6

California SB 1386 Requirements

Any company with employees or customers in the state of California must notify them, at the company’s expense, if their personal information is lost, stolen, or believed to have been lost or stolen.

It furthers specifies that a breach must only be “reasonably believed” to have occurred to force notification.

Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

7

California SB 1386 Requirements

“Any person or business that conducts business in California shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unauthorized person.” unencrypted personal information was, or is reasonably believed to have been, acquired by an

Where does the burden of proof lie??

Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

8

California SB 24 - What’s changed?

Enhanced Breach Notifications (to include specific information)

Requirement to notify Attorney General (if breach >500)

Covered Entities/Business Associates considered HIPAA HITECH Compliant must also comply.

Entities notifying individuals through the media must also notify Office of Privacy Protection

Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

9

California SB 1386 - What can we do?

Section 1798.29 (a) of the regulation specifies that notification requirements. encrypted data, even if lost or misdirected, is not subject to customer Access control is not enough.

Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

10

Payment Card Industry Data Security Standard

12 key elements to protect sensitive data & over 250 controls At a high level, PCI-DSS Boils down to these 4 key things: 1) All merchants, regardless if credit card data is stored, must achieve and maintain compliance at all times –the deadlines have already passed. 2) Merchants cannot store certain credit card information or track data from the magnetic strip or PIN data. 3) If permitted credit card information such as name, credit card number and expiration date is stored, certain security standards are required. 4) “Carrot & the Stick” – Safe Harbor from fines IF a merchant was in compliance at the time of a breach, versus fines as high as $500,000 per incident and the potential loss of the ability to take credit cards.

Source: PCI DSS Compliance Overview, Braintree Payment Solutions, www.getbraintreee.com

11

 Health Insurance Portability and Accountability Act (HIPAA): Secure “protected health information” (PHI).  Health Information Technology for Economic and Clinical Health Act (HITECH) includes funding for electronic health records, and enforces increased security & privacy protection requirements.  The regulation defines unsecured protected health information (PHI) that is not

secured through the use of a technology or methodology to render it unusable, unreadable, or indecipherable to unauthorized individuals. 12

 HIPAA HITECH now applies to Business Associates (BAs) directly.  HITECH also increased the penalties for Violations of HIPAA.  Not just big breaches – 57,000+ breaches reported of under 500 individuals  HITECH also requires PHI breach notification, which was not part of the original HIPAA rules.  HITECH Establishes punishment for willful neglect.

13

Repercussions of a breach….

Company or Agency

UCLA Health System Impairment Resources, LLC Kern Medical Center Enloe Medical Center Union Bank Delano Regional Medical Center

Breach

2 celebrities records accessed Burglary in Dec 2011. “The cost of dealing with the breach was prohibitive” Facility failed to prevent the theft of 596 patients’ PII Unauthorized access of one patient’s medical information by seven employees Former contractor kept proprietary bank data in his possession upon his departure from the Bank Unauthorized access and disclosure of one patient’s medical information by one employee Or just use the state’s handy breach search tool! http://oag.ca.gov/ecrime/databreach/list

Fine

$850,000 Bankrupt and closed down $250,000 $130,000 2 years of credit monitoring $60,000

14

Recent Data Breaches

 May 2013, CA Dept of Public Health, 2,000 records, unsecure reel  May 2013, University of Rochester Medical Center, 537 records, lost USB drive  May 2013, Honolulu Police Dept, 3,500 records, unknown breach  April 2013, Orthopedic Physician Associates, unknown # of records, stolen laptop  April 2013, Hope Hospice, 818 records, unencrypted email  April 2013, Upstate Univ Hospital, 283 records, stolen laptop

15

How data is lost

14% 10% 8% 17% 17% 31%

PCs (laptops, desktops) Malware Web/email Documents Portable devices Fraud Source: www.datalossdb.org

16

Data loss: Just the facts

346M records 1 compromised since ‘05 Costs: 214/record 2

$7.2m/incident

2 Fines: $1.5m/yr 3 ,

5k/violation/record

4 , unlimited 5 Net: Loss of

business

Disclosure: Bad press,

Reputation damage

1) www.privcyrights.org

2) Annual Cost of a Data Breach ‘10, Ponemon Institute 3) HITECH Act (US) – healthcare 4) Mass. Data security regulation 201 CMR 17 5) Data Protection Act (UK)

17

Mobile workers = data on the move

• More workers are mobile, businesses are buying more laptops • They’re easy lose and attractive to thieves • Physical security isn’t always a priority 86% of IT practitioners say someone in their organization has had a laptop lost or stolen

18

Source: Ponemon Institute

Security vs. Productivity

Balancing act – CISO’s are struggling with maintaining security Security Secure the data Protect the customers Protect the users Protect the business Productivity Just let me do my job No training required Ease of use Access data on demand

19

Questions to ask:

20

Is your data copied to portable devices?

• • • • They take data everywhere If they’re lost can you be sure they’re secure?

You probably can’t ban removable media People will plug them in anywhere

21

Do you have a cloud problem?

According to a survey 61% of organizations are already using or planning to evaluate cloud storage BUT 52% of organizations had yet to put controls in place to mitigate the risk of a data breach Source: Ernst & Young Global Information Security Survey 2011

22

23

Network files: Who’s in charge?

• • • Need to make sure the right people can share files Are roles being separated in the right way?

Securing sensitive data (Finance, HR etc) from those inside the organization is difficult

23

24

If you’re not sure you’re not secure

• • • • Encryption now comes built in to some operating systems Can you be sure it’s still functional?

How do you know if a user has changed settings?

You may have to prove compliance with regulations

24

25

Strategic Planning

• DLP Plan ○ What are you doing to identify, classify, and protect your data • Device Control ○ What considerations have been made for USB/Portable Drives • Email ○ What email controls do you have around data • Encryption ○ Whole Disk, Removable and Cloud Storage, Mobile • Mobile Control ○ BYOD or Corporate owned • Network Protection

25

Compete Security

26 Leading with Complete Security

26

SafeGuard Enterprise Your key to data protection with encryption 27

For More Information ….

LEARN MORE ABOUT

Sophos SPX DLP Encryption - email encryption

Sophos SafeGuard – encryption management

Sophos Web Gateway

Register Today http://www.sophos.com/security/webseminars/ 28

© Sophos Ltd. All rights reserved.

29