Embed Size (px)
Citation preview
Comparing Management-Based Regulation and Prescriptive Legislation:
How to Improve Information Security Through Regulation
(a.k.a., “The Efficacy of Cybersecurity Regulation”)
David Thaw
University of Connecticut School of LawYale Law School Information Society Project
Information Security Failures• 04/17/2011 – Sony PlayStation Network compromised by attackers,
77,000,000 consumer records compromised– Sony compromised again… one week later! (24.6 million records)
• 01/29/2009 – Heartland Payment Systems payment card processing network compromise discovered, 130,000,000 consumer records compromised– Actual compromise occurred ~8 months earlier and went undetected!
• 01/17/2007 – TJX Companies reports information security failure that allowed attackers to compromise 94,000,000 million consumer records including many consumers’ payment card information– Banks wrote off tens of millions in fraudulent charges– Some consumers forced to obtain new driver’s licenses/ID #’s
SBN “Triggering” Data
Identifier
(usually name)
Sensitive Personal Information
Three Common Types of Sensitive Personal Information:
• Social Security Number
• Payment Card/Account Number*
• Gov’t-Issued ID Number*
But: exception for “encrypted” data!
ReportableBreach
CISO Quotes: Effects of SBNs
• SBNs drive encryption policies:– “. . . [SBNs] caused us to . . . in a very short
period of time, encrypt 40,000 laptops . . .” (CISO of a large healthcare organization)
– “. . . What we have done is all computers now have to be encrypted.” (CISO of a large telecommunications company)
CISO Quotes: Effects of SBNs
• SBNs drive encryption policies:– “So what’s happened since the Notification
Laws have become sort of ubiquitous in the last three years [is] the security investment is moved, essentially to crypto. If it moves, encrypt it. It if stays there, encrypt it. There’s not much reflection on whether or not actually anyone ever uses that data. It’s still a breach.” (CISO of a large healthcare organization)
CISO Quotes: Effects of SBNs
• “And so what’s been really interesting about the Notification Laws is [they] have come in and [ ] essentially reversed the whole direction security was taking from when I started this job.” (CISO of a large healthcare organization)
CISO Quotes: Effects of SBNs
• “[B]asically [encryption] has distracted us from [] what I think is important thing . . . actually address[ing] things like Botnets and really significant network security vulnerabilities . . . [t]his whole crypto business [] has essentially moved resources from that area which we were kind of focusing on to this other area . . . every dollar that I spend on crypto is a dollar I don’t get to spend on something else” (CISO of a large health care organization)
