Failure to comply:
What’s the worst that can happen?
Why businesses should
automate processes to
achieve compliance with
state and federal legislation –
and mitigate risks.
In 2013, one of the biggest stories in information
security was the Target data breach. Credit and debit
card accounts were compromised during a virtual
heist of in-store payment systems that affected as
many as 110 million customers.
In the aftermath, the IT security community
weighed in with its views.
John Pescatore, Director of SANS Institute, suggested
that the breach “will have direct financial costs to
Target on the order of $2 billion.”i
According to a Sterne Agee analyst, the cost to
replace customer cards will top $550 million,
excluding penalties, credit watch expenses, and any
lawsuits that may follow.
What does it all mean? Well, compliance refers
to industry-wide government regulations and
rules that govern how data is to be managed and
protected. The phrase “being compliant” refers to
meeting and being able to demonstrate that the
organization is meeting those regulations.
Technology plays an important role in compliance
apart from being used to defend the organization
against instances of negligence. These words imply
expensive audits, lawyers, and ultimately even
insurance products and services to address the legal
landscape that governs online commerce, contracts
and legal responsibility.
What is the IT role in compliance? This is a complex
question. But in a nutshell, IT has to set out a series
of rules built on industry “best practices” designed
to reduce the organization’s risk by spelling out the
policy, governance, and technical and administrative
controls that must be applied to certain types of
information. IT generally provides the technical
controls to automate the business process and
compile the necessary proof of compliance
through logging.ii
Information systems generate a huge volume
of log data, which can be leveraged beyond
just proof of compliance. With the right tool
in place, such as GFI EventsManager®, log file
activity can boost security and detect security
incidents before they escalate. Automating log
file collection and analysis is a National Institute
of Standards (NIST) best practice when it comes
to protecting your information systems: iii
“Organizations also may store and analyze
certain logs to comply with Federal legislation
and regulations, including the Federal
Information Security Management Act of
2002 (FISMA), the Health Insurance Portability
and Accountability Act of 1996 (HIPAA), the
Sarbanes-Oxley Act of 2002 (SOX), the GrammLeach-Bliley Act (GLBA), and the Payment Card
Industry Data Security Standard (PCI DSS).”
Organizations of any size gather, process and
create information that requires they adhere to
any number of state, federal and international
standards. For instance, PCI DSS applies to
a credit card or debit card account number
alone, or with any of the following:
• Cardholder name
• Security code
• Expiration dateiv
PHI is any information that links individuals
with their physical or mental health condition
such as:
Other types of information must be safeguarded • Name of individual or relative
as well, such as personally identifiable information • Telephone numbers
• Electronic mail (“email”) address
(PII) and protected health information (PHI).
• Social security numbers
• Medical record numbers
PII includes a name together with one or more
• Account numbers
of the following:
• Health plan beneficiary number
• Dates such as birth, admission, or discharge
• Social security number
• Full-face photographic images and any • Driver license number
comparable images
• Financial account number in combination
• Any other unique identifying number,
with any security code, access code,
characteristic, or code
or password
PHI in the United States is subject to HIPAAv. In
the U.S., a perceived HIPAA violation can cost
you and your organization dearly. Fines upon
conviction for a HIPAA violation can range from
$100 per record to $50,000 per record – and
that can add up quickly if you are a company
that deals in hundreds or thousands of similar
records a year.vi
What could happen if a data breach occurs
and your organization has demonstrated
a cavalier attitude, or lacks documentation
proving compliance? In one case, the U.S.
Federal Trade Commission (FTC) imposed a $10
million civil penalty against data aggregator
ChoicePoint Inc. for a data security breach that
compromised nearly 160,000 consumer records
in 2008.
The $10 million penalty is being levied
for violations of the Fair Credit Reporting
Act (FCRA) because the company failed
to implement reasonable procedures
for protecting the data. The finding
that “reasonable procedures” were not
implemented in this context means that
ChoicePoint Inc. did not comply with relevant
industry best practices or, at a minimum, could
not demonstrate that best practices were
implemented.vii
Many other pieces of legislation impose
specific governance requirements, safeguards,
policies and penalties for violations and many
of the requirements can only be met by
technical controls. In addition to legislation and
regulation already mentioned, others include:
•
•
•
•
•
•
•
European Union Data Protection Directive
(EUDPD)
Personal Data Act
Computer Misuse Act
Data Protection Act
21 CFR Part 11
BASEL II
Various state security breach laws
This is a short list of the possible local,
national or international rules that might
apply to a business and it is ever-expanding
as governments play catch-up and try to
protect consumers from data leaks. Businesses
are advised to consult a subject matter
expert in compliance to help determine
the organization’s requirements and what
automated tools are adequate.
Determining what legislation might apply
is critical. The starting point is to look at the
various reasons why your organization accesses
customer data and the methods used to do
so; and determining when, where and how
information relating to customers is being
stored. This information is key for taking the
discussion to the next phase and making smart
choices about automated solutions suitable for
compliance. There are thousands of pieces of
legislation governing data compliance in the
U.S. alone, but these can be narrowed down by
asking a few questions such as:
•In what industry does your organization
operate?
•What types of customers does your
organization serve?
•In what jurisdiction(s) do you conduct
business?
Second, what are the requirements imposed
by the applicable laws and what physical,
technical, or organizational changes are
required to meet the legislated requirements
that your organization must follow?
Third, how can compliance with the specified
requirements be demonstrated to a
third-party auditor?
Proof needs to be provided in the form of
reports, logs, audit results and documented
policies. IT compliance is not just about
executing business processes correctly; it’s
about being able to prove that the business
processes have been executed correctly. In
this case “correctly” means that processes
were completed as required by the legislation.
Automated tools can play a big role in
demonstrating compliance with various pieces
of legislation.
Patch management and vulnerability scanning,
monitoring and controlling website access,
and collecting and analyzing logs can easily be
addressed in part, or in full, by an automated
tool. As a defense-in-depth strategy, reducing
the attack surface with GFI LanGuard® by
keeping machines up-to-date, and controlling
access to dangerous websites with
GFI WebMonitor®, is a good start. Both
solutions help you to check the boxes on your
list of requirements.
The GLBA is often overlooked or
misunderstood legislation. This happens
because organizations don’t realize that
it applies to them. The GLBA applies to a
“financial institution” which, according to the
act, is any organization engaging in financial
activities. At this point you may think “I’m not a
bank, so it does not apply to me…” Not so
fast! The GLBA considers your business a
financial institution if you do any of the
following activities:
•
•
•
•
•
•
Providing loans or credit, including
receiving application information, and
making and servicing such loans
Financial advisory services
Collecting delinquent loans
Check-cashing services
Tax planning
Holding information from a
•
•
•
•
•
•
•
•
•
•
•
•
consumer report
Career counseling services for those
seeking employment in finance, accounting
or auditing
Investment advisory services
Credit counseling services
Tax preparation
Sale of money orders, savings bonds or
traveler’s checks
Travel agency services provided in
connection with financial services
Real estate settlement services
Money wiring services
Issuing credit cards or long-term payment
plans involving interest charges
Personal property and real estate appraisals
Services provided by a principal, broker
or agent with respect to life, health, liability
or disability insurance products
Providing or issuing annuitiesviii
With this broad scope of activities, many
businesses may be shocked to discover they
are in fact subject to the requirements of
the GLBA.
When a business introduces safeguards
to protect the security, confidentiality
and integrity of customer information,
administrative, physical and
technical safeguards must
be considered:
Administrative safeguards are
outside the scope of this white
paper. However, consideration
must be given to the crossover
between physical and technical
safeguards. The adoption of IP
camera systems, card access
systems and even heating
and air conditioning (HVAC)
systems have IT components,
if not dedicated IT systems.
To protect the physical
environment, one must protect
the machines that control the
physical environment.
Failure to diligently protect all
the systems, whatever their
role in the enterprise, will
provide cybercriminals with a foothold into
the enterprise. Endpoint security for all the
enterprise workstations and portable devices
is just as important for compliance purposes
as for the servers that store and process the
information.
As mentioned earlier, the GLBA was introduced
in 1999 and digitally based threats to business
have become an epidemic since the act’s
introduction. Complying with the GLBA
administratively, physically and technically
provides a base level of security, but it’s not
nearly enough defense against modern
malware and talented cybercriminals.
In a 2010 document, the SANS Institute
identified key IT requirements for compliance
with the GLBA. In short, organizations must:
•
•
•
Have a written security policy
Establish a baseline of risk assessment and
conduct a vulnerability scan
Monitor and report on access to any files,
•
•
•
•
•
•
•
folders or databases that contain consumer
financial information
Notify consumers if you believe their
information has been compromised
Designate a security program coordinator
Establish an employee security awareness
and training program
Create policies for information processing,
transmission, storage and disposal (and
review and revise for material changes)
Have appropriate measures to detect,
prevent and respond to attacks
and intrusions
Provide a procedure for FTC reviews
or audits
Provide oversight for contracted service
provider organizations
Obviously performing “... a baseline of risk
assessment and ... vulnerability scan” needs to
occur regularly and SANS recommends that an
automated, continuous assessment capability
be implemented. “Appropriate measures to
detect, prevent, and respond to attacks and
intrusions” also lends itself to an automated
and continuous protection solution. Lastly,
preventing the unauthorized disclosure of
protected information is impossible to do
manually – an automated data-loss-prevention
solution, and email and fax archiving solutions
are worth considering.
Since the GLBA was first enforced, the financial
transaction world has been completely
transformed. Tellers on isolated terminals
inside a corporate network no longer conduct
the majority of financial transactions. Instead,
consumers have embraced the Internet for
financial transactions; the next frontier is
mobile payments and PCI DSS compliance is
required on this platform as well. The Gartner
Group says, “Worldwide mobile payments are
growing by about 40 percent a year … and
predicted to reach $325 billion in 2014.”ix
E-commerce websites or even generic
corporate websites might be collecting
information about customers, including credit
and bank account information to facilitate a
transaction. Moreover, if your organization is
bound by legislation or industry compliance
such as HIPAA, GLBA, PCI DSS, or SarbanesOxley to protect the privacy and security of
identifiable personal information, there is the
risk of being found non-compliant if hackers
gain access to sensitive information.
In the simplest of terms, proof of compliance
indicates best efforts of organizational
due diligence when safeguarding data
that is legislated to be protected.
A compelling reason to think of moving
towards compliance with the GLBA
(or other applicable legislation), and
being able to prove your
compliance is that it would
virtually eliminate a court
finding you guilty. Even
if your business was
the victim of a breach, a finding of negligence
would be unlikely, as you were compliant with
a minimum standard of care as defined by
the GLBA. Without being compliant, you risk
penalties under the GLBA, civil suits attempting
to try and prove organizational negligence
or lack of due diligence and court-ordered
injunctive relief. It can compute to hundreds of
thousands of dollars in fines.
The penalties for violating the GLBA are
quite severe:
•
•
•
•
A financial institution can be fined up to
$100,000 for each violation.
The officers and directors of the financial
institution can be fined up to $10,000 for
each violation.
Criminal penalties include imprisonment for
up to five years, a fine, or both.
If the GLBA is violated at the same time that
another federal law is violated, or if the
GLBA is violated as part of a pattern of any
illegal activity involving more than $100,000
within a 12-month period, the violator’s
fine will be doubled and he or she will be
imprisoned for up to 10 years.
Running a modern network is a complex and
challenging job. Compliance with a minimum
legislated standard of care such as GLBA or
PCI DSS could be an opportunity to get your
organization thinking about safeguarding your
customer’s data appropriately.
Harder to quantify is the cost to the business
as customers lose faith in the organization’s
ability to provide (willingly or not) basic
security measures to protect their sensitive
information. Clients will part ways with
previously trusted organizations that have
shown themselves incapable of meeting
the minimum standard of technical security
for personal information. And why not?
Companies that want to be successful
in today’s ever-changing world of virtual
commerce must be ready to defend
themselves against the savvy cybercriminal
– and guard their customers’ data with
every tool available to comply with industry
regulations and standards.
SANS NewsBites Vol. 15 Num.101
http://www.gfi.com/~/media/Files/GFI/Media/Products/EventsManager/Whitepapers/PCI%20DSS%20Compliance.ashx
iii
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
iv
http://pcicomplianceguide.org/pcifaqs.php#12
v
http://privacyruleandresearch.nih.gov/pdf/HIPAA_Privacy_Rule_Booklet.pdf
vi
http://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-
insurance-portability-accountability-act/hipaa-violations-enforcement.page
vii
http://www.computerworld.com/s/article/108069/FTC_imposes_10M_fine_against_ChoicePoint_for_data_breach
viii
http://itlaw.wikia.com/wiki/Gramm-Leach-Bliley_Act
ix
http://www.gartner.com/newsroom/id/2504915
i
ii
NOTE: THIS IS NOT LEGAL ADVICE. It is an opinion of the author and his team, and in no way should it be used, thought
about, conceived of, or construed as legal advice. Talk to your lawyer if you have legal issues. Compliance, negligence
and liability are complex and intricate topics. It is something to consider and talk to your lawyer about!
GFI Software™ provides many tools to automate processes that help an organization achieve compliance with state
and federal legislation. The complex, modern, business network cannot be managed without automated tools
which control and mitigate risk. Manual management of risk doesn’t work. This white paper highlights the quick wins
that GFI EventsManager®, GFI LanGuard® and GFI WebMonitor® can provide to your business. The concise reports,
comprehensive feature set and top-notch technical support will allow your business to make the right choices when it
comes to compliance audits today and in the future.
For more information about GFI’s network and security solutions, visit our website: www.gfi.com
Web security, monitoring and Internet access control
Download your FREE 30-day trial
LanGuard
Network security scanner and patch management
Automated network security and patch managment
Download your FREE 30-day trial
Automated IT Monitoring and Log Data Management
Download your FREE 30-day trial
GFI 7001 feb14
www.gfi.com
GFI Software, 4309 Emperor Blvd, Suite 400, Durham, NC 27703, USA
Tel: +1 (888) 243-4329 | Fax: +1 (919) 379-3402 | ussales@gfi.com
For a full list of GFI offices/contact details worldwide,
please visit: www.gfi.com/contact-us
Disclaimer. © 2014. GFI Software. All rights reserved. All product and company names herein may be trademarks of their respective owners.
The information and content in this document is provided for informational purposes only and is provided “as is” with no warranty of any kind, either express or implied, including but not
limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. GFI Software is not liable for any damages, including any consequential damages,
of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the
data provided, GFI makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information,
or errors. GFI makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document.
If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.