Casualty Actuarial SocietyCasualty Actuarial SocietyMay 16, 2005May 16, 2005

John B. Storey, John B. Storey, cisspcissp

Privacy of InformationPrivacy of Information(Securing Personal Data) (Securing Personal Data)

2

Securing Data Is No Monkey Securing Data Is No Monkey BusinessBusiness

3

Public Concerns for Personal Public Concerns for Personal DataData

The “Big Brother” imageThe “Big Brother” image Identity theft on the rise and a sense of helplessness Identity theft on the rise and a sense of helplessness

prevailsprevails Are corporations and the government doing enough to Are corporations and the government doing enough to

protect Personally Identifiable Information (PII) in their protect Personally Identifiable Information (PII) in their custody? custody?

Identification numbers are attached to almost every Identification numbers are attached to almost every transactional activity in our lives and historytransactional activity in our lives and history

Balancing the good and bad uses of information about an Balancing the good and bad uses of information about an individualindividual

Our need for access to many data sources has created a Our need for access to many data sources has created a need for quick response need for quick response

Securing PII and Personal Health Information (PHI) is a Securing PII and Personal Health Information (PHI) is a federal mandate federal mandate

4

FBI Annual Report FBI Annual Report

Over $65 Billion is lost as a result of Over $65 Billion is lost as a result of identity theft each yearidentity theft each year

There are over 10 million incidents of There are over 10 million incidents of identity theft each yearidentity theft each year Many people who suffer a loss don’t make a Many people who suffer a loss don’t make a

report report Consumers have spent over 300 million Consumers have spent over 300 million

hours in dealing with clearing their credit hours in dealing with clearing their credit reportsreports Many don’t get through the process for yearsMany don’t get through the process for years Others have been unjustly denied job Others have been unjustly denied job

opportunities opportunities

5

The Need for Data Repositories The Need for Data Repositories

““Everyone wants to know it now and fast”Everyone wants to know it now and fast” The ease of access to information for quick decisionsThe ease of access to information for quick decisions

Large data repositories for fraud detection Large data repositories for fraud detection Are criminals exploiting our system?Are criminals exploiting our system? Are people impersonating others? Are people impersonating others?

Analytical data models and the almost perfect Analytical data models and the almost perfect degree of accuracy requireddegree of accuracy required Creating the fair balance with scores Creating the fair balance with scores

Risk analysis in a business transactionsRisk analysis in a business transactions

6

Recent Publicized Personal Data Recent Publicized Personal Data DilemmasDilemmas

Choice PointChoice Point 145,000 names, addresses and social security numbers 145,000 names, addresses and social security numbers

obtained by false customers and used in an identity theft obtained by false customers and used in an identity theft ring ring

DSW Shoe WarehouseDSW Shoe Warehouse 1.4 million credit card and drivers-license numbers1.4 million credit card and drivers-license numbers

Time WarnerTime Warner 600,000 employee and customer social security numbers 600,000 employee and customer social security numbers

misplaced by the SEFETY vaultmisplaced by the SEFETY vault Bank of AmericaBank of America

1.2 million customers social security numbers misplaced in 1.2 million customers social security numbers misplaced in transit transit

LexisNexisLexisNexis 310,000 social security and drivers-license numbers 310,000 social security and drivers-license numbers

7

Inadvertent Disclosure DataInadvertent Disclosure Data

Viruses can be used to obtain passwordsViruses can be used to obtain passwords Search randomly or specifically for password filesSearch randomly or specifically for password files Inadvertent disclosure and theft of data Inadvertent disclosure and theft of data

Phishing uses creative “bait and hook”Phishing uses creative “bait and hook” Deception and coercion lure the unsuspecting Internet user into Deception and coercion lure the unsuspecting Internet user into

disclosing sensitive information disclosing sensitive information Trojan Horses – the silent listenerTrojan Horses – the silent listener

Get into a computer system in many waysGet into a computer system in many ways Could be used to intercept sensitive informationCould be used to intercept sensitive information

Social EngineeringSocial Engineering Don’t be tricked into giving sensitive information to the wrong Don’t be tricked into giving sensitive information to the wrong

individual individual Employees and contractorsEmployees and contractors

Beware of the opportunist and safeguard sensitive information Beware of the opportunist and safeguard sensitive information by strictly applying the “need to know” rulesby strictly applying the “need to know” rules

83% of companies surveyed experienced a security breach in 83% of companies surveyed experienced a security breach in 20042004

2004 Deloitte Global Security Survey2004 Deloitte Global Security Survey

8

Protecting Data in your Protecting Data in your CustodyCustody

Are data custodians aware of stored or shared Are data custodians aware of stored or shared PII data?PII data?

Who is using the data and for what purpose?Who is using the data and for what purpose? Is the data available for viewing on the Is the data available for viewing on the

Internet?Internet? Is encryption used?Is encryption used? Is the Customer or viewer properly credentialed?Is the Customer or viewer properly credentialed?

What type of logs or electronic footprints are What type of logs or electronic footprints are kept to meet regulatory requirements?kept to meet regulatory requirements?

Where is it stored and for how long?Where is it stored and for how long? Inherent security controls must be in place Inherent security controls must be in place

consistently as long as the data is stored and usedconsistently as long as the data is stored and used Are adequate data disposal controls in place?Are adequate data disposal controls in place?

9

The Cost of Security The Cost of Security BreachesBreaches

2001 ChoicePoint paid $1.3 million 2001 ChoicePoint paid $1.3 million for sending drivers license for sending drivers license information over the Internet information over the Internet

2003 Acxiom experienced a hacking 2003 Acxiom experienced a hacking activity that resulted in information activity that resulted in information loss loss The cost for the Privacy breach was The cost for the Privacy breach was

approximately $12 million approximately $12 million 2005 ChoicePoint had a privacy 2005 ChoicePoint had a privacy

breachbreachThe approximate cost to date is $15 - The approximate cost to date is $15 -

$20 million in loss of potential business$20 million in loss of potential business

10

Protecting Data with an Protecting Data with an effective Security Programeffective Security Program

Develop risk management methodologies to quantify technology risks for informed decision processes, based on industry standards such as OCTAVE and NIST Risk Management.

Develop policies and best practices to safeguard ISO and Subsidiaries electronic information. Policies and best practices must be Third Party validated standards such as ISO17799 and BS7799-2.

Educate and raise awareness among employees of your company

Monitor, quantify, and report violations of access controls

Risk Mgt.Policies,

Procedures and Best Practices

Awareness & Training

Monitoring & Reporting

11

StatisticsStatisticssource: Symantec/MSS 2003source: Symantec/MSS 2003

(20,000 sensors deployed in over 180 countries)(20,000 sensors deployed in over 180 countries)

Attack activity by type

Exploit Attempts17%

Pre-AttackRecon.40%

Worms andBlended Threats

43%

Severe events experienced by industries per 10,000 events

7.8

6.2 6.15.4 5.1

3 2.7 2.5 2.4 1.9

0

2

4

6

8

10

Fina

ncia

l Ser

vice

s

Busin

ess Se

rvices

Hea

lthca

re

Power

& E

nerg

y

Med

ia/E

nt

Non

profi

t

E-co

mm

erce

Mfg

.

Hig

h-Te

ch

Telco

Industries

Severe

even

ts

Rank Country Total First Half 2003

Position in 2/2002

1 United States 58% 1 12 Canada 8% 5 73 China 3% 2 34 Japan 3% 9 105 Australia 3% NR NR6 Germany 2% 3 47 South Korea 2% 4 28 Taiwan 2% NR 69 France 1% 6 5

10 Italy 1% 10 8

Top Originating Countries Excluding Worms

12

The Cost of Security The Cost of Security vulnerabilitiesvulnerabilities

Sophisticated attacksSophisticated attacks Tools from password sniffing to self-propagating malicious Tools from password sniffing to self-propagating malicious

software (malware)software (malware) Speed of attacks from 3 years (i.e., boot sector) to 4 days Speed of attacks from 3 years (i.e., boot sector) to 4 days

(i.e., Melissa) to minutes (i.e., Beagle worm)(i.e., Melissa) to minutes (i.e., Beagle worm) Financial loss worldwide of $2 billion in August 2003 due to Financial loss worldwide of $2 billion in August 2003 due to

3 worms in 12 days (Blaster, Welchia, and Sobig.F)3 worms in 12 days (Blaster, Welchia, and Sobig.F) Increased number of software and system Increased number of software and system

vulnerabilitiesvulnerabilities From 171 vulnerabilities in 1995 to 3,784 in 2003 From 171 vulnerabilities in 1995 to 3,784 in 2003

(source: CERT/CC)(source: CERT/CC) Average of 10 vulnerabilities per dayAverage of 10 vulnerabilities per day 70% of vulnerabilities are classified as EASY TO EXPLOIT 70% of vulnerabilities are classified as EASY TO EXPLOIT

(source: Symantec)(source: Symantec) Open computing environment attacksOpen computing environment attacks

i.e., remote access, PDA, wireless, etc.i.e., remote access, PDA, wireless, etc.

13

Federal and State Federal and State Electronic Information ProtectionElectronic Information Protection

FederalFederal Graham-Leach-Bliley Act (GLBA) Graham-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA)Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (COSO and COBIT)Sarbanes-Oxley (COSO and COBIT) Fair Credit Reporting Act (FCRA) Fair Credit Reporting Act (FCRA)

StateState NYS Department of Health Cyber Security NYS Department of Health Cyber Security

could follow California regulations on protecting could follow California regulations on protecting employees and overseas outsourced arrangementsemployees and overseas outsourced arrangements

NYS276 NYS276 Additional privacy requirements on GLBAAdditional privacy requirements on GLBA

CA1386 CA1386 Strict security control requirements informationStrict security control requirements information other states could followother states could follow

14

SummarySummary

Implement security controls consistent with Implement security controls consistent with industry standards for adherence to industry standards for adherence to regulatory regulatory

Businesses and Technology must work Businesses and Technology must work together to protect the privacy of data together to protect the privacy of data

Adhere to regulatory security controls Adhere to regulatory security controls requirements requirements

Safeguard your Corporation’s Intellectual Safeguard your Corporation’s Intellectual Property and investmentsProperty and investments

Use prudent measures to safeguard your Use prudent measures to safeguard your Corporation from internal exposures Corporation from internal exposures

15

Elements of a Elements of a Privacy ChecklistPrivacy Checklist

What data is stored on your systems and does it What data is stored on your systems and does it require encryption? require encryption?

What privacy elements are contained in the What privacy elements are contained in the data? data?

How long will the data be stored on your How long will the data be stored on your systems? systems?

Are adequate security access controls in place?Are adequate security access controls in place? Is sensitive information transmitted Is sensitive information transmitted

unencrypted?unencrypted? Do you have a way to determine if data is out of Do you have a way to determine if data is out of

date?date? Are security controls in place to prevent Are security controls in place to prevent

tampering?tampering? Are you complying with privacy regulations Are you complying with privacy regulations

16

Thank YouThank You