Transcript Slide 1
Protecting Data On The Move
Scott Spiker
Enterprise Account Executive - NorCal
1
Agenda:
• The Evolution of Data • Regulation Complexity • Dealing with Data Loss • Strategic Planning • Q&A
2
Evolution of Data
• Protect your vital data • Your data is no longer confined to the 4 walls of your organization • Desktop, Laptop, Server, Mobile, USB Drive, Email, Cloud Storage, SMS, Chat, Social…..
3
Evolution of Data
• Collision of data points and employee efficiencies ○ More data, more access • Post Recession Workplace ○ ○ ○ Do more with less Distributed workforce Increased collaboration
4
Regulation Complexity
State Privacy & Disclosure laws HIPAA/HITECH (medical) PCI-DSS (credit card) FERPA (education) FISMA (federal) GLBA (finance) SOX (corporate auditing) The good news is the holes in the armor are defined
5
CA Data Breach Act : SB 1386 Standards for The Protection of Person
Designed to ensure that Californians are alerted whenever their personal information may have been compromised.
The law went into effect July 1, 2003. Essentially, any organization with a customer or employee residing in the state of California is affected.
Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
6
California SB 1386 Requirements
Any company with employees or customers in the state of California must notify them, at the company’s expense, if their personal information is lost, stolen, or believed to have been lost or stolen.
It furthers specifies that a breach must only be “reasonably believed” to have occurred to force notification.
Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
7
California SB 1386 Requirements
“Any person or business that conducts business in California shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unauthorized person.” unencrypted personal information was, or is reasonably believed to have been, acquired by an
Where does the burden of proof lie??
Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
8
California SB 24 - What’s changed?
‒
Enhanced Breach Notifications (to include specific information)
‒
Requirement to notify Attorney General (if breach >500)
‒
Covered Entities/Business Associates considered HIPAA HITECH Compliant must also comply.
‒
Entities notifying individuals through the media must also notify Office of Privacy Protection
Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
9
California SB 1386 - What can we do?
Section 1798.29 (a) of the regulation specifies that notification requirements. encrypted data, even if lost or misdirected, is not subject to customer Access control is not enough.
Source: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
10
Payment Card Industry Data Security Standard
12 key elements to protect sensitive data & over 250 controls At a high level, PCI-DSS Boils down to these 4 key things: 1) All merchants, regardless if credit card data is stored, must achieve and maintain compliance at all times –the deadlines have already passed. 2) Merchants cannot store certain credit card information or track data from the magnetic strip or PIN data. 3) If permitted credit card information such as name, credit card number and expiration date is stored, certain security standards are required. 4) “Carrot & the Stick” – Safe Harbor from fines IF a merchant was in compliance at the time of a breach, versus fines as high as $500,000 per incident and the potential loss of the ability to take credit cards.
Source: PCI DSS Compliance Overview, Braintree Payment Solutions, www.getbraintreee.com
11
Health Insurance Portability and Accountability Act (HIPAA): Secure “protected health information” (PHI). Health Information Technology for Economic and Clinical Health Act (HITECH) includes funding for electronic health records, and enforces increased security & privacy protection requirements. The regulation defines unsecured protected health information (PHI) that is not
secured through the use of a technology or methodology to render it unusable, unreadable, or indecipherable to unauthorized individuals. 12
HIPAA HITECH now applies to Business Associates (BAs) directly. HITECH also increased the penalties for Violations of HIPAA. Not just big breaches – 57,000+ breaches reported of under 500 individuals HITECH also requires PHI breach notification, which was not part of the original HIPAA rules. HITECH Establishes punishment for willful neglect.
13
Repercussions of a breach….
Company or Agency
UCLA Health System Impairment Resources, LLC Kern Medical Center Enloe Medical Center Union Bank Delano Regional Medical Center
Breach
2 celebrities records accessed Burglary in Dec 2011. “The cost of dealing with the breach was prohibitive” Facility failed to prevent the theft of 596 patients’ PII Unauthorized access of one patient’s medical information by seven employees Former contractor kept proprietary bank data in his possession upon his departure from the Bank Unauthorized access and disclosure of one patient’s medical information by one employee Or just use the state’s handy breach search tool! http://oag.ca.gov/ecrime/databreach/list
Fine
$850,000 Bankrupt and closed down $250,000 $130,000 2 years of credit monitoring $60,000
14
Recent Data Breaches
May 2013, CA Dept of Public Health, 2,000 records, unsecure reel May 2013, University of Rochester Medical Center, 537 records, lost USB drive May 2013, Honolulu Police Dept, 3,500 records, unknown breach April 2013, Orthopedic Physician Associates, unknown # of records, stolen laptop April 2013, Hope Hospice, 818 records, unencrypted email April 2013, Upstate Univ Hospital, 283 records, stolen laptop
15
How data is lost
14% 10% 8% 17% 17% 31%
PCs (laptops, desktops) Malware Web/email Documents Portable devices Fraud Source: www.datalossdb.org
16
Data loss: Just the facts
346M records 1 compromised since ‘05 Costs: 214/record 2
$7.2m/incident
2 Fines: $1.5m/yr 3 ,
5k/violation/record
4 , unlimited 5 Net: Loss of
business
Disclosure: Bad press,
Reputation damage
1) www.privcyrights.org
2) Annual Cost of a Data Breach ‘10, Ponemon Institute 3) HITECH Act (US) – healthcare 4) Mass. Data security regulation 201 CMR 17 5) Data Protection Act (UK)
17
Mobile workers = data on the move
• More workers are mobile, businesses are buying more laptops • They’re easy lose and attractive to thieves • Physical security isn’t always a priority 86% of IT practitioners say someone in their organization has had a laptop lost or stolen
18
Source: Ponemon Institute
Security vs. Productivity
Balancing act – CISO’s are struggling with maintaining security Security Secure the data Protect the customers Protect the users Protect the business Productivity Just let me do my job No training required Ease of use Access data on demand
19
Questions to ask:
20
Is your data copied to portable devices?
• • • • They take data everywhere If they’re lost can you be sure they’re secure?
You probably can’t ban removable media People will plug them in anywhere
21
Do you have a cloud problem?
According to a survey 61% of organizations are already using or planning to evaluate cloud storage BUT 52% of organizations had yet to put controls in place to mitigate the risk of a data breach Source: Ernst & Young Global Information Security Survey 2011
22
23
Network files: Who’s in charge?
• • • Need to make sure the right people can share files Are roles being separated in the right way?
Securing sensitive data (Finance, HR etc) from those inside the organization is difficult
23
24
If you’re not sure you’re not secure
• • • • Encryption now comes built in to some operating systems Can you be sure it’s still functional?
How do you know if a user has changed settings?
You may have to prove compliance with regulations
24
25
Strategic Planning
• DLP Plan ○ What are you doing to identify, classify, and protect your data • Device Control ○ What considerations have been made for USB/Portable Drives • Email ○ What email controls do you have around data • Encryption ○ Whole Disk, Removable and Cloud Storage, Mobile • Mobile Control ○ BYOD or Corporate owned • Network Protection
25
Compete Security
26 Leading with Complete Security
26
SafeGuard Enterprise Your key to data protection with encryption 27
For More Information ….
•
LEARN MORE ABOUT
○
Sophos SPX DLP Encryption - email encryption
○
Sophos SafeGuard – encryption management
○
Sophos Web Gateway
○
Register Today http://www.sophos.com/security/webseminars/ 28
© Sophos Ltd. All rights reserved.
29