Upload
onkar-sule
View
103
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Copyright 2001 Brett J. Trout
Security Concerns with e-
CommerceBretttrout.com
Copyright 2001 Brett J. Trout
Electronic Communications Privacy Act and Employers
(ECPA) Enacted in 1986 Amends Omnibus Crime Control Act
Copyright 2001 Brett J. Trout
ECPA
Prohibits interception of e-mail Prohibits access to stored e-mail Allows Employers to monitor
employees Applies to both
Accessing database Capturing keystrokes
Copyright 2001 Brett J. Trout
ECPA Title II
Prohibits intentional access of an electronic communication service
Relates to any stored electronic communication
EmailFaxetc.
Copyright 2001 Brett J. Trout
ECPA Title II Exceptions
Provider of the service AOL Employer Etc.
Anyone with authorization Express Implied.
Copyright 2001 Brett J. Trout
ECPA Title III
Prohibits intentional interception of any electronic communication
Makes it a crime to capture email while enroute
Copyright 2001 Brett J. Trout
ECPA Title III Exceptions
Employee consented impliedly expressly employment agreement email policy
Employer interception must be in the ordinary course of business
Copyright 2001 Brett J. Trout
ECPA Take Home
Employer can Monitor stored e-mail Intercept e-mail
Give Employees express notice employment agreement email policy
Monitor only in ordinary course of business
Stop reading if e-mail is personal
Copyright 2001 Brett J. Trout
Computer Fraud and Abuse Act
Enacted in 1984 to stem computer crime
Amended in 1996 (National Information Infrastructure Protection Act) to criminalize: Threats to computer networks Release of viruses or worms Hacking Hijacking Destructive ecommerce activity
Copyright 2001 Brett J. Trout
CFAA Makes it Illegal
To knowingly access a computer without authorization For fraudulent purposes To access confidential information To access financial information To cause damage to a computer
system
Copyright 2001 Brett J. Trout
Economic Espionage Act
Enacted in 1996 18 U.S.C. section 1831 et seq. Makes it illegal to take or receive
trade secrets Enacted to curb economic and
industrial espionage
Copyright 2001 Brett J. Trout
EEA
Civil Penalties Injunction Forfeiture of profits and instrumentalities
to government Criminal Penalties
Injure or benefit - 10yr/250K/5M Benefit foreign power – 15yr/500K/10M
Copyright 2001 Brett J. Trout
Hacking
According to PriceWaterhouseCooper Hacking cost United States companies$1.5 trillion in 2000
World Trade Center insurable loss $50 billion
One year of hacking equals 30 Trade Center attacks.
Copyright 2001 Brett J. Trout
Types of Hacking
Denial of Service Attack Packet Sniffing Spoofing Keystroke Monitoring Viruses Cracking Exploiting Holes Diddling
Copyright 2001 Brett J. Trout
Denial of Service Attack
Any action to prevent server from functioning
Usually enlists unsecure computers to bombard server with requests Floods server Prevents normal functioning Difficult to track down
Copyright 2001 Brett J. Trout
Packet Sniffing
Internet information travels in packets with “header”
Sniffer software searches for packets containing these headers
Used to audit and identify network packet traffic
Can uncover passwords and/or usernames
Easy to do Difficult to detect
Copyright 2001 Brett J. Trout
Spoofing
Pretending to be another user Includes
Deceptive sender information (spam)
Deceptive use of username and/or password
Copyright 2001 Brett J. Trout
Keystroke Monitoring
Inexpensive software Installed on computer Hardwired to computer
Allows Reconstruction of user’s activity Identification of usernames/passwords
Illegal
Copyright 2001 Brett J. Trout
Viruses
Software that Modifies other software Replicates itself Sends itself on to other computers
Types Replication DOS Data destruction
Copyright 2001 Brett J. Trout
Virus Prevention
Virus protection software Only works if it is turned on Constantly update
Keep apprised of latest viruses Do not open attachments from
unknown senders
Copyright 2001 Brett J. Trout
Virus Prevention
Do not open files with extensions: .exe .vbs .pif
Use Eudora, rather than Outlook
Copyright 2001 Brett J. Trout
Cracking
Defeating copy-protection Determining passwords/usernames Typically illegal
Copyright 2001 Brett J. Trout
Exploiting Security Holes
Microsoft XP e-wallet Unauthorized users could get credit
card information Microsoft Outlook
Vulnerable to viruses Keep abreast of
New developments Patches
Copyright 2001 Brett J. Trout
Diddling
Obtaining unauthorized access toModifyDeleteSet time bomb
Copyright 2001 Brett J. Trout
Insurance
Typically very expensive Very good exercise to identify and
address problems
Copyright 2001 Brett J. Trout
Insurance
The number of companies who cited their Internet connection as a frequent point of attack has increased steadily from 47% in 1998 to 70% in 2001.
Marsh Advantage AmericaLeisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
Insurance
78% of companies acknowledged financial losses due to computer breaches
37% of companies are willing or able to quantify their financial losses
The most serious financial losses occur through theft of proprietary information.Marsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
Misconceptions
I have staff in place who are keeping me safe
I have a firewall, so I’m protected Our network is password protected, so
I’m doing all I can. Our contracts transfer liability, so I have
nothing to worry about My employees would never do anything to
jeopardize my companies data
Copyright 2001 Brett J. Trout
Risks
Legal Risks Credibility Risks Security Risks Financial Risks
Marsh Advantage America-Leisa Foxwww.netsecuresite.com
Copyright 2001 Brett J. Trout
Legal Risks
Defense Costs - exaggerated because of the lack of current case law
Inability to determine value of Intellectual Property Copyright/Trademark Infringement Libel/Slander & Defamation Plagiarism D&O suit for insufficient security measures Regulatory Costs
Copyright 2001 Brett J. Trout
Security Risks
Digital Terrorism Internal Crime External Crime Virus Attacks
Marsh Advantage America-Leisa Foxwww.netsecuresite.com
Copyright 2001 Brett J. Trout
Credibility Risks
Organizations that experience security breaches keep them quiet.
A breach can do grave damage to a company’s reputation.
Marsh Advantage America-Leisa Foxwww.netsecuresite.com
Copyright 2001 Brett J. Trout
Financial Risks
Prior risks translate into costs: Business Income Loss Reconstruction of lost data Investor Relationships Defense CostsMarsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
Solutions
Identify & Prioritize the risks Consider Technology Solutions Consider Process/Policy Solutions Transfer or Eliminate Risks that are to costly
to retainMarsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
Key People
The C’s - CEO’s, CFO’s, CTO’s, CSO’s, CIO’s Human Resources IT Marketing Legal Counsel Risk Manager/Insurance Agent
Marsh Advantage America-Leisa Foxwww.netsecuresite.com
Copyright 2001 Brett J. Trout
Misconceptions
I have coverage under my package policy I have an E&O Policy that covers it I have an EDP Policy
Marsh Advantage America-Leisa Foxwww.netsecuresite.com
Copyright 2001 Brett J. Trout
Policies Cover
Policies may include coverage for: Virus Attacks Data reconstruction Business Income Loss Disaster Recovery Defense Costs, etc.
Marsh Advantage America-Leisa Foxwww.netsecuresite.com
Copyright 2001 Brett J. Trout
Costs
Pricing varies greatly based on exposures. Third party policies are vastly more affordable
than First party policies. You can expect to pay anywhere from $7,500 to
$100,000 for a Cyber Risk Policy.Marsh Advantage America-Leisa Fox
www.netsecuresite.com
Copyright 2001 Brett J. Trout
Internet Privacy
You have zero privacy anyway Get over it.
Scott McNeally, Sun Microsystems CEO Wired News (March 11, 1999)
Copyright 2001 Brett J. Trout
Internet Privacy Policy
Components Notice of Data Collection – How, What,
Why Choice – Partial or total “opt out” Access to Data – Option to modify or
delete Security
Copyright 2001 Brett J. Trout
Internet Privacy
Privacy PolicyDevelop one todayFollow it
Designate IT privacy czar Audit your policy - regularly
Copyright 2001 Brett J. Trout
Consumer Privacy Protection Act
Pending legislation Mandates privacy collection
procedures Private Right of Action
$50,000 statutory damages Punitive damages Attorney fees
Something like this will become law
Copyright 2001 Brett J. Trout
Cookies
A computer science term An opaque piece of data held by an
intermediary
Copyright 2001 Brett J. Trout
What is a Cookie?
HTTP header Text-only string Associated with your browser Unique identifier
Cannot be used as a virus Cannot access your hard drive.
Copyright 2001 Brett J. Trout
Doubleclick
Doubleclick used cookies to aggregate user information
Users sued SDNY Court held 3/28/2001
No violation
Copyright 2001 Brett J. Trout
Children’s Online Privacy Protection Act
Requires the Federal Trade Commissioner to issue and enforce regulations which
regulate the ability of Websites to collect personal information from children under the age of
13.
Copyright 2001 Brett J. Trout
COPPA
Passed into Law October 21, 1998 Covers personal information
collected after April 21, 2000 COPPA applies to
Web sites and online services Targeted to, or know they are Collecting data From children under 13.
Copyright 2001 Brett J. Trout
COPPA Requirements
Post a privacy policy Conspicuous What data you collect What you do with it.
Obtain verifiable consent from the child's parent Before you collect any data.
Importantly Change in policy requires new
consent
Copyright 2001 Brett J. Trout
COPPA Requirements
Give option to revoke consent Allow parents to review data
collected Ensure security and integrity of the
data you collect.
Copyright 2001 Brett J. Trout
Gramm-Leach Bliley
Subjects “financial institutions” to certain reporting and disclosure requirements intended to ensure
the personal and financial privacy of customers
Copyright 2001 Brett J. Trout
“Financial Institution”
Lending, exchanging, transferring, investing for others, or safeguarding money or securities;
Issuing or selling instruments representing interests in pools of assets which a bank can hold directly;
Engaging in any activity … so closely related to banking or managing … as to be a proper incident thereto.
Copyright 2001 Brett J. Trout
GLB Data Disclosure
Opt out Prohibits disclosure by financial
institution, without allowing consumer to opt out.
Third party disclosure Allowed for the purpose of permitting
third party to perform services for the financial institution.
Copyright 2001 Brett J. Trout
GLB Data Disclosure
Prohibits third party from disclosing nonpublic personal information Unless disclosure would be lawful if
made directly to such other person by the financial institution.
Prohibits sharing of account number information for marketing purposes
Different requirements for different levels of relationships.
Copyright 2001 Brett J. Trout
Health Insurance Portability and
Accountability Act
Forces health providers and insurers to use technology in a more uniform, less proprietary
manner
Copyright 2001 Brett J. Trout
HIPPA Goals
StandardizationSecurityPrivacy
Copyright 2001 Brett J. Trout
Areas of Focus
Technical Security Services User authorization and authentication Access control and encryption
Administrative Procedures Formal security planning Record maintenance and audits
Physical Safeguards Security to building Privacy for workstations handling
patient information
Copyright 2001 Brett J. Trout
HIPPA
Can apply to both health care and non-health care entities
Forces covered entities to uniformly transmit and receive certain data electronically
Requires the use of standard identifiers (rather than proprietary codes) to identify health care providers, employers, health plans and patients
Copyright 2001 Brett J. Trout
Employers
Must have written policies and notify employees of HIPPA policies
Must get consents to the release of certain information in certain circumstances
Must give employees access to their medical records
Must have contacts in place with providers to insure that they safeguard information
Copyright 2001 Brett J. Trout
Employers
Identify stored health information and who has access to it
Identify how the information is used and its flow
Correlate all privacy policies Standardize all relevant third-party
provider contracts
Copyright 2001 Brett J. Trout
European Union Directive on Privacy
Effective 25 October 1998 Every EU must enact national law
consistent with the Directive Many EU countries had privacy laws
before the Directive
Copyright 2001 Brett J. Trout
EU Directive World-wide standard Enforcement has begun in the U.S.
Copyright 2001 Brett J. Trout
Compliance
The Safe Harbor Specific contracts blessed by
European Data Protection Authorities
Exceptions or derogations to the
Directive
Copyright 2001 Brett J. Trout
Safe Harbor
Seven privacy principles issued by US Department of Commerce on July 21, 2000 for “personal data” collection
Copyright 2001 Brett J. Trout
Seven Provisions
Notice Opt in Opt out Security Maintain Integrity of Data Procedure for Data Correction Data Transfer
Copyright 2001 Brett J. Trout
Notice
Clear Language Purpose of Collection Contact information for inquiries
or complaints To whom you disclose
information Options for limiting use and
disclosure of the information.
Copyright 2001 Brett J. Trout
Opt in/Opt out
Opt out Disclosed to third party Used for new purpose
Opt in Sensitive information
Race, health, union membership, sexual preference
If disclosed to third party If used for new purpose
Copyright 2001 Brett J. Trout
Security
Loss Misuse Unauthorized access Disclosure Alteration Destruction.
Copyright 2001 Brett J. Trout
Maintain Integrity of Data
Reliable for intended use Accurate Complete Current.
Copyright 2001 Brett J. Trout
Procedures For Correction
Correct, amend, or delete inaccurate information
Not necessary where: Burden much greater than potential
harm Would compromise confidential
information of others
Copyright 2001 Brett J. Trout
Data Transfer
Must include Notice Provisions Choice Provisions
Agent must Subscribe to the foregoing principles;
or Enter into a written agreement
requiring agent provide at least the same level of privacy protection as provider
Copyright 2001 Brett J. Trout
Safe Harbor
Access Individuals must have access to “their”
information Ability to correct or remove inaccurate
information “Disproportionate burden” exception
Enforcement Mechanisms for investigating and
resolving complaints Procedures for verifying privacy
statements Obligation to remedy problems
Copyright 2001 Brett J. Trout
EU Directive
Enforcement by competitors Failure to comply could lead to cut-
off in data and actions against European partners
Copyright 2001 Brett J. Trout
Falling Under Safe Harbor
Self-certification on DOC website Hard part - applying to business
practices
Financial services firms cannot join Safe Harbor unless under the FTC
Copyright 2001 Brett J. Trout
EU Directive
Over 40 countries now have substantial privacy laws
Most either copy or comply with the EU Privacy Directive
Copyright 2001 Brett J. Trout
EU Directive
Compliance requirement is real
Safe Harbor likely best but not only option
Don’t copy another company’s privacy policy
Copyright 2001 Brett J. Trout
What To Do
Audit current privacy practice Develop EU Directive conforming
policy Comport practice with policy Require Warranties & Indemnities
from third parties using your data Encrypt data transmissions
Copyright 2001 Brett J. Trout
Privacy Technology
Establish Firewall Monitor Cookies – turn off as appropriate Run Virus Detection Software Anonymizer TRUSTe - will review your privacy policy Asymmetric cryptography Future technology
Platform For Privacy Preferences Defines exactly the level of information
disclosed
Copyright 2001 Brett J. Trout
Additional Steps
Security Policies Rotate passwords Monitor access and file transfer Implement network vulnerability
study Implement a disaster recovery plan Limit modification of workstation Obtain insurance
Copyright 2001 Brett J. Trout
Thank You