Security concerns-with-e-commerce

Copyright 2001 Brett J. Trout

Security Concerns with e-

CommerceBretttrout.com


Electronic Communications Privacy Act and Employers

(ECPA) Enacted in 1986 Amends Omnibus Crime Control Act


ECPA

Prohibits interception of e-mail Prohibits access to stored e-mail Allows Employers to monitor

employees Applies to both

Accessing database Capturing keystrokes


ECPA Title II

Prohibits intentional access of an electronic communication service

Relates to any stored electronic communication

EmailFaxetc.


ECPA Title II Exceptions

Provider of the service AOL Employer Etc.

Anyone with authorization Express Implied.


ECPA Title III

Prohibits intentional interception of any electronic communication

Makes it a crime to capture email while enroute


ECPA Title III Exceptions

Employee consented impliedly expressly employment agreement email policy

Employer interception must be in the ordinary course of business


ECPA Take Home

Employer can Monitor stored e-mail Intercept e-mail

Give Employees express notice employment agreement email policy

Monitor only in ordinary course of business

Stop reading if e-mail is personal


Computer Fraud and Abuse Act

Enacted in 1984 to stem computer crime

Amended in 1996 (National Information Infrastructure Protection Act) to criminalize: Threats to computer networks Release of viruses or worms Hacking Hijacking Destructive ecommerce activity


CFAA Makes it Illegal

To knowingly access a computer without authorization For fraudulent purposes To access confidential information To access financial information To cause damage to a computer

system


Economic Espionage Act

Enacted in 1996 18 U.S.C. section 1831 et seq. Makes it illegal to take or receive

trade secrets Enacted to curb economic and

industrial espionage


EEA

Civil Penalties Injunction Forfeiture of profits and instrumentalities

to government Criminal Penalties

Injure or benefit - 10yr/250K/5M Benefit foreign power – 15yr/500K/10M


Hacking

According to PriceWaterhouseCooper Hacking cost United States companies$1.5 trillion in 2000

World Trade Center insurable loss $50 billion

One year of hacking equals 30 Trade Center attacks.


Types of Hacking

Denial of Service Attack Packet Sniffing Spoofing Keystroke Monitoring Viruses Cracking Exploiting Holes Diddling


Denial of Service Attack

Any action to prevent server from functioning

Usually enlists unsecure computers to bombard server with requests Floods server Prevents normal functioning Difficult to track down


Packet Sniffing

Internet information travels in packets with “header”

Sniffer software searches for packets containing these headers

Used to audit and identify network packet traffic

Can uncover passwords and/or usernames

Easy to do Difficult to detect


Spoofing

Pretending to be another user Includes

Deceptive sender information (spam)

Deceptive use of username and/or password


Keystroke Monitoring

Inexpensive software Installed on computer Hardwired to computer

Allows Reconstruction of user’s activity Identification of usernames/passwords

Illegal


Viruses

Software that Modifies other software Replicates itself Sends itself on to other computers

Types Replication DOS Data destruction


Virus Prevention

Virus protection software Only works if it is turned on Constantly update

Keep apprised of latest viruses Do not open attachments from

unknown senders


Virus Prevention

Do not open files with extensions: .exe .vbs .pif

Use Eudora, rather than Outlook


Cracking

Defeating copy-protection Determining passwords/usernames Typically illegal


Exploiting Security Holes

Microsoft XP e-wallet Unauthorized users could get credit

card information Microsoft Outlook

Vulnerable to viruses Keep abreast of

New developments Patches


Diddling

Obtaining unauthorized access toModifyDeleteSet time bomb


Insurance

Typically very expensive Very good exercise to identify and

address problems


Insurance

The number of companies who cited their Internet connection as a frequent point of attack has increased steadily from 47% in 1998 to 70% in 2001.

Marsh Advantage AmericaLeisa Fox

www.netsecuresite.com


Insurance

78% of companies acknowledged financial losses due to computer breaches

37% of companies are willing or able to quantify their financial losses

The most serious financial losses occur through theft of proprietary information.Marsh Advantage America-Leisa Fox



Misconceptions

I have staff in place who are keeping me safe

I have a firewall, so I’m protected Our network is password protected, so

I’m doing all I can. Our contracts transfer liability, so I have

nothing to worry about My employees would never do anything to

jeopardize my companies data


Risks

Legal Risks Credibility Risks Security Risks Financial Risks

Marsh Advantage America-Leisa Foxwww.netsecuresite.com


Legal Risks

Defense Costs - exaggerated because of the lack of current case law

Inability to determine value of Intellectual Property Copyright/Trademark Infringement Libel/Slander & Defamation Plagiarism D&O suit for insufficient security measures Regulatory Costs


Security Risks

Digital Terrorism Internal Crime External Crime Virus Attacks



Credibility Risks

Organizations that experience security breaches keep them quiet.

A breach can do grave damage to a company’s reputation.



Financial Risks

Prior risks translate into costs: Business Income Loss Reconstruction of lost data Investor Relationships Defense CostsMarsh Advantage America-Leisa Fox



Solutions

Identify & Prioritize the risks Consider Technology Solutions Consider Process/Policy Solutions Transfer or Eliminate Risks that are to costly

to retainMarsh Advantage America-Leisa Fox



Key People

The C’s - CEO’s, CFO’s, CTO’s, CSO’s, CIO’s Human Resources IT Marketing Legal Counsel Risk Manager/Insurance Agent



Misconceptions

I have coverage under my package policy I have an E&O Policy that covers it I have an EDP Policy



Policies Cover

Policies may include coverage for: Virus Attacks Data reconstruction Business Income Loss Disaster Recovery Defense Costs, etc.



Costs

Pricing varies greatly based on exposures. Third party policies are vastly more affordable

than First party policies. You can expect to pay anywhere from $7,500 to

$100,000 for a Cyber Risk Policy.Marsh Advantage America-Leisa Fox



Internet Privacy

You have zero privacy anyway Get over it.

Scott McNeally, Sun Microsystems CEO Wired News (March 11, 1999)


Internet Privacy Policy

Components Notice of Data Collection – How, What,

Why Choice – Partial or total “opt out” Access to Data – Option to modify or

delete Security


Internet Privacy

Privacy PolicyDevelop one todayFollow it

Designate IT privacy czar Audit your policy - regularly


Consumer Privacy Protection Act

Pending legislation Mandates privacy collection

procedures Private Right of Action

$50,000 statutory damages Punitive damages Attorney fees

Something like this will become law


Cookies

A computer science term An opaque piece of data held by an

intermediary


What is a Cookie?

HTTP header Text-only string Associated with your browser Unique identifier

Cannot be used as a virus Cannot access your hard drive.


Doubleclick

Doubleclick used cookies to aggregate user information

Users sued SDNY Court held 3/28/2001

No violation


Children’s Online Privacy Protection Act

Requires the Federal Trade Commissioner to issue and enforce regulations which

regulate the ability of Websites to collect personal information from children under the age of

13.


COPPA

Passed into Law October 21, 1998 Covers personal information

collected after April 21, 2000 COPPA applies to

Web sites and online services Targeted to, or know they are Collecting data From children under 13.


COPPA Requirements

Post a privacy policy Conspicuous What data you collect What you do with it.

Obtain verifiable consent from the child's parent Before you collect any data.

Importantly Change in policy requires new

consent


COPPA Requirements

Give option to revoke consent Allow parents to review data

collected Ensure security and integrity of the

data you collect.


Gramm-Leach Bliley

Subjects “financial institutions” to certain reporting and disclosure requirements intended to ensure

the personal and financial privacy of customers


“Financial Institution”

Lending, exchanging, transferring, investing for others, or safeguarding money or securities;

Issuing or selling instruments representing interests in pools of assets which a bank can hold directly;

Engaging in any activity … so closely related to banking or managing … as to be a proper incident thereto.


GLB Data Disclosure

Opt out Prohibits disclosure by financial

institution, without allowing consumer to opt out.

Third party disclosure Allowed for the purpose of permitting

third party to perform services for the financial institution.


GLB Data Disclosure

Prohibits third party from disclosing nonpublic personal information Unless disclosure would be lawful if

made directly to such other person by the financial institution.

Prohibits sharing of account number information for marketing purposes

Different requirements for different levels of relationships.


Health Insurance Portability and

Accountability Act

Forces health providers and insurers to use technology in a more uniform, less proprietary

manner


HIPPA Goals

StandardizationSecurityPrivacy


Areas of Focus

Technical Security Services User authorization and authentication Access control and encryption

Administrative Procedures Formal security planning Record maintenance and audits

Physical Safeguards Security to building Privacy for workstations handling

patient information


HIPPA

Can apply to both health care and non-health care entities

Forces covered entities to uniformly transmit and receive certain data electronically

Requires the use of standard identifiers (rather than proprietary codes) to identify health care providers, employers, health plans and patients


Employers

Must have written policies and notify employees of HIPPA policies

Must get consents to the release of certain information in certain circumstances

Must give employees access to their medical records

Must have contacts in place with providers to insure that they safeguard information


Employers

Identify stored health information and who has access to it

Identify how the information is used and its flow

Correlate all privacy policies Standardize all relevant third-party

provider contracts


European Union Directive on Privacy

Effective 25 October 1998 Every EU must enact national law

consistent with the Directive Many EU countries had privacy laws

before the Directive


EU Directive World-wide standard Enforcement has begun in the U.S.


Compliance

The Safe Harbor Specific contracts blessed by

European Data Protection Authorities

Exceptions or derogations to the

Directive


Safe Harbor

Seven privacy principles issued by US Department of Commerce on July 21, 2000 for “personal data” collection


Seven Provisions

Notice Opt in Opt out Security Maintain Integrity of Data Procedure for Data Correction Data Transfer


Notice

Clear Language Purpose of Collection Contact information for inquiries

or complaints To whom you disclose

information Options for limiting use and

disclosure of the information.


Opt in/Opt out

Opt out Disclosed to third party Used for new purpose

Opt in Sensitive information

Race, health, union membership, sexual preference

If disclosed to third party If used for new purpose


Security

Loss Misuse Unauthorized access Disclosure Alteration Destruction.


Maintain Integrity of Data

Reliable for intended use Accurate Complete Current.


Procedures For Correction

Correct, amend, or delete inaccurate information

Not necessary where: Burden much greater than potential

harm Would compromise confidential

information of others


Data Transfer

Must include Notice Provisions Choice Provisions

Agent must Subscribe to the foregoing principles;

or Enter into a written agreement

requiring agent provide at least the same level of privacy protection as provider


Safe Harbor

Access Individuals must have access to “their”

information Ability to correct or remove inaccurate

information “Disproportionate burden” exception

Enforcement Mechanisms for investigating and

resolving complaints Procedures for verifying privacy

statements Obligation to remedy problems


EU Directive

Enforcement by competitors Failure to comply could lead to cut-

off in data and actions against European partners


Falling Under Safe Harbor

Self-certification on DOC website Hard part - applying to business

practices

Financial services firms cannot join Safe Harbor unless under the FTC


EU Directive

Over 40 countries now have substantial privacy laws

Most either copy or comply with the EU Privacy Directive


EU Directive

Compliance requirement is real

Safe Harbor likely best but not only option

Don’t copy another company’s privacy policy


What To Do

Audit current privacy practice Develop EU Directive conforming

policy Comport practice with policy Require Warranties & Indemnities

from third parties using your data Encrypt data transmissions


Privacy Technology

Establish Firewall Monitor Cookies – turn off as appropriate Run Virus Detection Software Anonymizer TRUSTe - will review your privacy policy Asymmetric cryptography Future technology

Platform For Privacy Preferences Defines exactly the level of information

disclosed


Additional Steps

Security Policies Rotate passwords Monitor access and file transfer Implement network vulnerability

study Implement a disaster recovery plan Limit modification of workstation Obtain insurance


Thank You