Security versus compliance

Posted: October 22, 2008 in Posts

In Massachusetts, legislation has just passed on an “Order Regarding the Secuirty and Confidentialty of Personal Information.” The measures contained within are intended to hold the state’s government bodies accountable for adhering to practices that protect against consumer identity theft.

Especially of interest is Section 4, which calls for the Commonwealth’s CIO to oversee the guidelines, plans, reporting and auditing of each agency. The order calls, in particular, for a lot of auditing. This brings to mind Martin McKeay’s excellent discussion of compliance through security.

Are these compliance regulations the right approach to preventing ID theft? Is there any realistic alternative?

Comments
  1. Javed says:

    Some observations as a MA resident and an information security service provider.

    1. As a consumer and state resident, I am glad MA is taking a leadership role. This is probably the toughest data breach notification law out there (we track all state laws for our customers)
    2. Full disclosure: this will probably mean more business for my company, so I have some vested interest in this
    3. All state agencies are required by this to adopt and maintain an information security program. They can NOT do this without ensuring their vendors are also maintaining an information security program (well, some of them anyway.. the company that washes the windows can probably be exempt)
    4. This takes effect on 1/1/09. After that, the vendor security requirements will start trickling out, and my guess is will take over a year to reach everyone. We do lot of vendor security due diligence for our customers, and it is like pulling teeth. My prediction is, by the end of 2010 they will have about 50% compliance. (if they are lucky)
    5. Compliance is the right _first_ step to preventing ID theft. It is a process–not something that can be achieved the day you become compliant (Hannaford was 100% PCI-DSS compliant and still had a massive breach)

  2. Rob says:

    In the past, when breaches took place that compromised the privacy of personally identifying information, businesses covered them up. That’s just a simple fact, as any security consultant who did incident response 8 years ago can tell you. Then, California passed SB 1386, and the business world was all aflutter. Their main concern wasn’t that they had to implement any new security, or change how they did business. What the buzz was about was the simple provision that if they did suffer a breach that affected residents of California, they were bound by law to report it, publicly. Other states then went on to pass similar bills, many of them patterned after the provisions of SB 1386.

    Guess what happened next? Breach after breach after breach became public. And as a result of that, the issue came to light, and people started doing more to protect this information. Do I think regulations are the best way to accomplish things? Definitely not. But in many situations, there has to be an outside party that dictates standards of conduct, or else a large number of organizations will act in their own best interests (as they are supposed to do), to the detriment of the public. And I think that given the track record on data security regarding PI, regulations like these are needed right now.

  3. Lynn Wheeler says:

    We had been tangentially involved with the cal state breach
    notification legislation. Some of the parties involved, had done
    detailed consumer surveys about privacy. The number one consumer
    privacy issue was identity theft … a major component is “account
    fraud” (fraudulent financial transactions against existing accounts)
    resulting from the information leakage in breaches. There was little
    or no attention being paid to such breaches, so it seemed that there
    was some hope with the publicity from the notifications, it would
    start to prompt corrective action. Since the cal. breach notification
    legislation, many other states have passed similar legislation. There
    have also been two classes of “federal” notification bills proposed
    over the past couple yrs (those that are similar to the
    cal. legislation and those that would essentially pre-empt state
    legislation and eliminate most notification requirements).

    I was also involved as co-author of the x9.99 financial privacy
    standard, which required paying attention to GLBA and HIPAA as well as
    taking into account EU-DPD

    After having worked with small client/server startup that wanted to do
    payments on their server (they had this technology called SSL and the
    implementation is now frequently called electronic commerce) we were
    invited to be part of the x9a10 financial standard working group which
    in the mid-90s, had been given the requirement to preserve the
    integrity of the financial infrastructure for ALL retail
    payments. This is ALL retail , as in ALL credit, debit,
    stored-value, check, ACH, etc; as in ALL POS, internet, unattended,
    face-to-face, mobile, transit, contract, contactless, etc; and as in
    ALL low-value, medium-value, high-value, etc.

    Part of this involved detailed, end-to-end threat and vulnerability
    studies of the environments … which eventually resulted in x9.59
    financial transaction standard
    http://www.garlic.com/~lynn/x959.html#x959

    in much of the current infrastructure, knowing the account number is
    sufficient for a crook to perform a fraudulent transaction. We’ve
    tried using a number of metaphors to describe the current
    infrastructure (fixed by x9.59):

    • dual-use vulnerability metaphor

    account number is required in a large number of different business
    processes and is required to be readily available. at the same time
    the account number has to be kept strictly confidential and never
    divulged to anybody (not even those needing it for business processes,
    since insiders have repeatedly been shown to be the major source of
    identity theft). we’ve claimed that even if the planet was buried
    under miles of information hiding encryption, that it wouldn’t be
    sufficient to prevent information leakage.

    • security proportional to risk metaphor

    to the merchant, knowledge of the account number is worth some percent
    of the profit off the transaction; that same knowledge for the crook,
    is worth the account balance/credit-limit. as a result, the crook may
    be able to outspend by a factor of 100 times attacking the system (as
    the merchant can afford to spend protecting/defending the system).

    • naked transaction metaphor

    lots of naked transaction metaphor archived blog activity & posts
    http://www.garlic.com/~lynn/subintegrity.html#payments

    With X9.59 it is no longer necessary to “hide” financial transactions
    to prevent account fraud and fraudulent financial transactions. This
    doesn’t do anything to eliminate data breaches … but it eliminates
    the major threats that are the result of most data breaches.

    As an aside, the major use of SSL use in the world today is associated
    with hiding transmitted financial transactions as part of electronic
    commerce. X9.59 eliminates the need to use SSL for that purpose.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s