Privacy of Information
(Securing Personal Data)
Casualty Actuarial Society
May 16, 2005
John B. Storey, cissp
Securing Data Is No Monkey Business
2
Public Concerns for Personal Data

The “Big Brother” image

Identity theft on the rise and a sense of helplessness prevails

Are corporations and the government doing enough to protect
Personally Identifiable Information (PII) in their custody?

Identification numbers are attached to almost every
transactional activity in our lives and history

Balancing the good and bad uses of information about an
individual

Our need for access to many data sources has created a need
for quick response

Securing PII and Personal Health Information (PHI) is a federal
mandate
3
FBI Annual Report
 Over
$65 Billion is lost as a result of identity
theft each year
 There are over 10 million incidents of
identity theft each year

Many people who suffer a loss don’t make a
report
 Consumers
have spent over 300 million hours
in dealing with clearing their credit reports


Many don’t get through the process for years
Others have been unjustly denied job
opportunities
4
The Need for Data Repositories

“Everyone wants to know it now and fast”


The ease of access to information for quick decisions
Large data repositories for fraud detection
Are criminals exploiting our system?
 Are people impersonating others?


Analytical data models and the almost perfect
degree of accuracy required


Creating the fair balance with scores
Risk analysis in a business transactions
5
Recent Publicized Personal Data Dilemmas

Choice Point


DSW Shoe Warehouse


600,000 employee and customer social security numbers
misplaced by the SEFETY vault
Bank of America


1.4 million credit card and drivers-license numbers
Time Warner


145,000 names, addresses and social security numbers obtained
by false customers and used in an identity theft ring
1.2 million customers social security numbers misplaced in transit
LexisNexis

310,000 social security and drivers-license numbers
6
Inadvertent Disclosure Data

Viruses can be used to obtain passwords
Search randomly or specifically for password files
 Inadvertent disclosure and theft of data


Phishing uses creative “bait and hook”


Deception and coercion lure the unsuspecting Internet user into
disclosing sensitive information
Trojan Horses – the silent listener
Get into a computer system in many ways
 Could be used to intercept sensitive information


Social Engineering


Don’t be tricked into giving sensitive information to the wrong
individual
Employees and contractors
Beware of the opportunist and safeguard sensitive information by
strictly applying the “need to know” rules
 83% of companies surveyed experienced a security breach in 2004
 2004 Deloitte Global Security Survey

7
Protecting Data in your Custody



Are data custodians aware of stored or shared PII
data?
Who is using the data and for what purpose?
Is the data available for viewing on the Internet?




What type of logs or electronic footprints are kept
to meet regulatory requirements?
Where is it stored and for how long?


Is encryption used?
Is the Customer or viewer properly credentialed?
Inherent security controls must be in place consistently as
long as the data is stored and used
Are adequate data disposal controls in place?
8
The Cost of Security Breaches
 2001
ChoicePoint paid $1.3 million for
sending drivers license information
over the Internet
 2003 Acxiom experienced a hacking
activity that resulted in information
loss
 The
cost for the Privacy breach was
approximately $12 million
 2005
ChoicePoint had a privacy breach
 The
approximate cost to date is $15 - $20
million in loss of potential business
9
Protecting Data with an effective
Security Program
Risk
Mgt.
Develop risk management methodologies to
quantify technology risks for informed decision
processes, based on industry standards such as
OCTAVE and NIST Risk Management.
Policies, Procedures
and Best Practices
Awareness & Training
Monitoring & Reporting
Develop policies and best practices to safeguard ISO
and Subsidiaries electronic information.
Policies and best practices must be Third Party
validated standards such as ISO17799 and BS7799-2.
Educate and raise awareness among
employees of your company
Monitor, quantify, and report
violations of access controls
10
Statistics
source: Symantec/MSS 2003
(20,000 sensors deployed in over 180 countries)
Top Originating Countries Excluding Worms
Attack activity by type
Exploit Attempts
17%
Pre-Attack
Recon.
40%
Worms and
Blended Threats
43%
Severe events experienced by industries per 10,000
events
Severe events
10
8
6
4
7.8
6.2
6.1
5.4
Rank
Country
Total
1
2
3
4
5
6
7
8
9
10
United States
Canada
China
Japan
Australia
Germany
South Korea
Taiwan
France
Italy
58%
8%
3%
3%
3%
2%
2%
2%
1%
1%
First Half Position
2003
in 2/2002
1
5
2
9
NR
3
4
NR
6
10
1
7
3
10
NR
4
2
6
5
8
5.1
3
2
2.7
2.5
2.4
1.9
0
Industries
11
The Cost of Security
vulnerabilities

Sophisticated attacks




Tools from password sniffing to self-propagating malicious
software (malware)
Speed of attacks from 3 years (i.e., boot sector) to 4 days (i.e.,
Melissa) to minutes (i.e., Beagle worm)
Financial loss worldwide of $2 billion in August 2003 due to 3
worms in 12 days (Blaster, Welchia, and Sobig.F)
Increased number of software and system vulnerabilities
From 171 vulnerabilities in 1995 to 3,784 in 2003
(source: CERT/CC)
 Average of 10 vulnerabilities per day
 70% of vulnerabilities are classified as EASY TO EXPLOIT
(source: Symantec)


Open computing environment attacks

i.e., remote access, PDA, wireless, etc.
12
Federal and State
Electronic Information Protection

Federal
Graham-Leach-Bliley Act (GLBA)
 Health Insurance Portability and Accountability Act (HIPAA)
 Sarbanes-Oxley (COSO and COBIT)
 Fair Credit Reporting Act (FCRA)


State
NYS Department of Health Cyber Security
 could follow California regulations on protecting employees and
overseas outsourced arrangements
 NYS276
 Additional privacy requirements on GLBA
 CA1386
 Strict security control requirements information
 other states could follow

13
Summary

Implement security controls consistent with
industry standards for adherence to regulatory

Businesses and Technology must work together to
protect the privacy of data

Adhere to regulatory security controls
requirements

Safeguard your Corporation’s Intellectual
Property and investments

Use prudent measures to safeguard your
Corporation from internal exposures
14
Elements of a
Privacy Checklist
What data is stored on your systems and does it
require encryption?
 What privacy elements are contained in the data?
 How long will the data be stored on your systems?
 Are adequate security access controls in place?
 Is sensitive information transmitted unencrypted?
 Do you have a way to determine if data is out of
date?
 Are security controls in place to prevent
tampering?
 Are you complying with privacy regulations

15
Thank You
16