Policies for data security
Back in 2007, popular retail chain T.J. Maxx suffered a credit card and data breach estimated in the billions of dollars. Companies within the TJX parent company chain also affected include Marshalls and Homegoods. (Read an Information Week article from the time.)
Many of us have either directly suffered from losses like these and if not, perhaps felt the chill or worry about data security for systems we have worked on or have responsibility for. When a development director says, why shouldn’t we set up our own credit card processing and cut down on processing fees, you have to ask, uh, do you really want the responsibility of storing someone’s credit card numbers? When a manager says, but we have always appreciated the flexibility of using social security numbers as a secondary way of looking people up, you have to ask, is that ease worth the responsibility? When a youth services program has reporting requirements to a foundation asking for correlation with court involvement, pregnancy counseling, abuse at home, you have to ask, how much of that information do you want collected in one easy place? Maybe we have become more cautious about these matters, maybe not yet.
As it happens, TJX has its corporate headquarters here in Massachusetts where I live and work, so the human impact and new coverage inspired a political response. The Commonwealth adopted what became 201CMR17, “Standards for the Protection of Personal information of Residents of the Commonwealth.” Explaining the law, The Office of Consumer Affairs reported that upwards of 700,000 Mass residents had suffered from stolen or lost personal information just in the last two years. This law, and others like it around the country, will be the response.
Here is an easy view of the regulations themselves
This type of legislation could have a positive benefit. It also carries an implementation cost, applying even to small businesses and nonprofits, yet it has no funding. We call this an unfunded mandate. You have to do it, and you can be sued if not doing it results in someone suffering a loss, yet the Legislature has not provided funding for publicizing the law, educating technology folks on how to implement it, or for investing in the improvements the law will require. And as we know, this is not a time for nonessential technology investments. Originally, the law would have taken effect in May 2009. Recognizing reality, the state has now pushed it back to Jan 2010.
Whether its onerous or not, and whether it applies to you around the country or not, it could inspire useful improvements. The law firm Morrison-Foerster provided a useful summary of the type of policies needed to meet the requirements. How many of them do you already follow?
A friend and colleague, Adam Frost, has created a useful web site collecting policy suggestions and technology links around internal data security. Adam has spoken out passionately yet quite pragmatically on these issues for years, including in workshops we co-led at the Grassroots Use of Technology conferences. Check out http://www.201cmr17.com/, which is just beginning, and its associated blog
There is also a Linked-in group specifically on these regulations.
And a great discussion list on technology security issues generally is at http://www.naisg.org/.
I wonder how much time all of us give to these matters.
Many of us have either directly suffered from losses like these and if not, perhaps felt the chill or worry about data security for systems we have worked on or have responsibility for. When a development director says, why shouldn’t we set up our own credit card processing and cut down on processing fees, you have to ask, uh, do you really want the responsibility of storing someone’s credit card numbers? When a manager says, but we have always appreciated the flexibility of using social security numbers as a secondary way of looking people up, you have to ask, is that ease worth the responsibility? When a youth services program has reporting requirements to a foundation asking for correlation with court involvement, pregnancy counseling, abuse at home, you have to ask, how much of that information do you want collected in one easy place? Maybe we have become more cautious about these matters, maybe not yet.
As it happens, TJX has its corporate headquarters here in Massachusetts where I live and work, so the human impact and new coverage inspired a political response. The Commonwealth adopted what became 201CMR17, “Standards for the Protection of Personal information of Residents of the Commonwealth.” Explaining the law, The Office of Consumer Affairs reported that upwards of 700,000 Mass residents had suffered from stolen or lost personal information just in the last two years. This law, and others like it around the country, will be the response.
Here is an easy view of the regulations themselves
This type of legislation could have a positive benefit. It also carries an implementation cost, applying even to small businesses and nonprofits, yet it has no funding. We call this an unfunded mandate. You have to do it, and you can be sued if not doing it results in someone suffering a loss, yet the Legislature has not provided funding for publicizing the law, educating technology folks on how to implement it, or for investing in the improvements the law will require. And as we know, this is not a time for nonessential technology investments. Originally, the law would have taken effect in May 2009. Recognizing reality, the state has now pushed it back to Jan 2010.
Whether its onerous or not, and whether it applies to you around the country or not, it could inspire useful improvements. The law firm Morrison-Foerster provided a useful summary of the type of policies needed to meet the requirements. How many of them do you already follow?
A friend and colleague, Adam Frost, has created a useful web site collecting policy suggestions and technology links around internal data security. Adam has spoken out passionately yet quite pragmatically on these issues for years, including in workshops we co-led at the Grassroots Use of Technology conferences. Check out http://www.201cmr17.com/, which is just beginning, and its associated blog
There is also a Linked-in group specifically on these regulations.
And a great discussion list on technology security issues generally is at http://www.naisg.org/.
I wonder how much time all of us give to these matters.
Labels: security, tech planning
Subscribe through Feedburner
3 Comments:
Yikes, total coincidence, but I just got this email...
=========
Hi Steve,
Hope this email finds you doing well.
Wanted to advise you we may have had a issue with the credit cards we have on file. We do not know for sure but for your protection, you may wish to discontinue the card to protect against any possible charges. We have made the changes in house to prevent this from occurring again. We will also be setting up a credit card monitoring program with one of the credit check companies and offering this to you if you would like this monitored for a year. Will have more info on this on Monday so will be back in touch at that time.
We apologize for the inconvenience this may cause you and hope nothing has occurred, but to be safe, you may wish to cancel the card we have on file and have a new one issued.
Feel free to contact me if you wish to discuss this further over the weekend.
All the Best...
I believe some of these issues are left up to you to decide by design. No two businesses are the same, and how CompanyA chose to implement a solution probably won't be how CompanyB did it. But they both may have achieved the same desired end result.
For example, if an organization processes credit card payments, the Payment Card Industry's(PCI) Data Security Standard(DSS) v1.2 requirement 4 says "Encrypt transmission of cardholder data across open, public networks".
Furthermore: "4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks."
The requirements don't call out specific ways of implementation. Whether you choose to send sensitive data over an IPSEC VPN, utilize HTTPS, or send it via secure FTP, the intent of the requirement has been met by all three solutions.
As for "educating technology folks on how to implement it", there are plenty of more than qualified individuals and experts out there that can aid or implement a variety of solutions. There are virtually limitless resources online as well to aid in securing your digital assets. A simple example might be using the CIS's benchmarks (http://www.cisecurity.org/benchmarks.html) to harden a server before putting it into production.
As for "the Legislature has not provided funding for publicizing the law", everyone has what is called their duty of "due diligence". It isn't the government's responsibility to educate everyone as to what laws are governing them. Claiming ignorance will never hold up in court. The general "intent" of the law is there, but I can see where the frustration comes into play for the many that are affected by it. Even if a business process a SINGLE credit card transaction in a year, they are still required to be compliant to the ENTIRE PCI DSS. That is a lot of work if you have a small business. There are many other reasons on why organizations aren't compliant, but it is no surprise that there are as many breaches as there are, if not more, since all it takes is one small hole.
As the saying goes, we need three things to make it successful:
1. People
2. Process
3. Technology
Many organizations struggle with many of these, especially if funding is not available. I've seen many organizations be successful with implementing free/open source solutions. Maybe implementing an IPTables firewall or OSSEC HIPS instead of purchasing commercial products.
Hopefully regulations such as 201CMR17 will prompt more and more organizations to start thinking about security in addition to functionality. The intent is there, it is just getting the rest of the folks on board to see what the "intent" is.
The overall state of security within most organization is extremely poor. I have probably one of the most interesting jobs in where I get to try and identify security weaknesses within organizations and attempt to "steal information" (legally) in order to help the organizations understand where the exposures are.
Most organizations get our report, and do nothing with it. Why is this? Because security is typically an added expense that they do not see a return on investment in and don't believe a TJX will occur to them.
Others try to do the right thing, and implement security and attempt to protect customer data however, these companies are far and few between.
We as consumers really have nothing to worry about when a credit card gets stolen from a large breach like TJX. Why is that? Because we don't pay for it. TJX is responsible for paying for the reissuing of cards and if applicable fix our credit. As a consumer we typically only have to worry about we leave our credit card on the ground and someone takes it. It's then our responsibility for fixing whatever may have come.
I recently got a notice from the Heartland Credit Card breach, this was THE largest breach ever to occur in history. I have a federal credit union where I do my banking from, they used Heartland for the payment processing. USAA canceled my card and reissued me a new one with a new number. I guess the telephone call to reactivate my card was a little of an annoyance, but it was trivial to what companies have to go through when they get breached.
The 201CM417 amendment is a pretty weak guideline to try and incorporate into an organization and misses a lot of fundamental security principles however, still...It is a starting point.
Compliance standards like PCI have taken mandating organizations that hold credit card data to a whole new level. While it has its own problems its still one of the better standards for security out there. Traditionally companies had zero security and with the new PCI standard, companies now have to perform some levels of security. It's no longer an excuse.
I don't think any law, rules, guidelines, mandates, compliance, or fines will make organizations truly take security seriously until their organization gets breached.
Post a Comment
<< Home