Breaches are a personal nightmare for corporate security pros

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/article/2876191/security0/breaches-are-a-personal-nightmare-for-corporate-security-pros.html

Beyond the compromise of valuable information, loss of revenues and damage
to brand reputation, data breaches can pose a threat to the careers of
security professionals involved: witness the sudden departures of both the
CEO and the CIO of Target after last year’s compromise of 40 million
customers’ credit cards.

While experts say there are no laws to hold CEOs, CIOs and CISOs personally
responsible for damage done when networks are hacked, boards of director
can use their power to get rid of those they blame, and there’s not much
security execs can do about that.

There are laws, though, that they should worry about because they affect
the liability of the company as a whole for damages resulting from data
loss, so these laws should be taken into consideration when designing
defenses to thwart hacks, says Lisa Sotto, a New York attorney with Hunton
& Williams. Customers affected by breaches bring lawsuits, and shareholders
file suits that blame corporate leadership for falling stock prices, she
says, factors that have to be juggled by the person charged with keeping
data safe.

The trouble is that many of the relevant laws use general wording that has
yet to be clarified by court decisions, making the task more difficult.
“The CISO is the hardest job in the company today because you have little
legal guidance while facing an increasing barrage of attacks from the
outside,” she says. “The environment changes on a dime.”

Contributing to the problem is the 100-year-old Federal Trade Commission
Act, which has been revised and modified over the years. One provision of
the law – written before hacking existed – is being called on to prosecute
companies that fall victim to data theft, says Jason Straight, senior vice
president and chief privacy officer for UnitedLex, a legal and technology
consultancy.

The Federal Trade Commission uses the provision that outlaws ‘‘unfair or
deceptive acts or practices in or affecting commerce.’’ It applies the
language because it says businesses imply they will protect customers’
information then don’t.

The FTC has won more than 50 settlements from companies it charged with
failing to adequately protect customer information they collect. Wyndham
Hotels was one of the companies the FTC went after, but that is fighting
back. There won’t be a court ruling that might clarify the law, though.
Last fall a federal judge turned the case over to a mediator to work out an
agreement. Whatever that decision is won’t have an effect on how the law is
interpreted.

The standard the FTC says it uses is “a company’s data security measures
must be reasonable and appropriate in light of the sensitivity and volume
of consumer information it holds, the size and complexity of its business,
and the cost of available tools to improve security and reduce
vulnerabilities.”

It says it “does not require perfect security; reasonable and appropriate
security is a continuous process of assessing and addressing risks; there
is no one-size-fits-all data security program; and the mere fact that a
breach occurred does not mean that a company has violated the law.”

Settling with the FTC, though, can be burdensome. Companies that sign
consent decrees with the FTC to settle charges are saddled with having
their security practices assessed by the FTC 10 times, once every two
years. “You are married to the FTC for 20 years,” Sotto says. There is no
monetary penalty unless there is a second offense, and then they can be
$16,000 per day per violation.

Individual states such as Massachusetts, California and Nevada have
data-protection statutes that also call for measures that are “reasonable”
and “appropriate,” she says. “It’s not fair to say those are weasel words.
It’s difficult to mandate reasonable standards.”

There are many attempts to set standards to protect data. For example, the
Graham Leach Bliley Act requires written information security programs
spelling out administrative, physical and technological safeguards to
protect customer information. “It’s that vague,” she says.

Beyond laws, regulations governing various industries also come into play
by demanding compliance with often frustratingly vague requirements, she
says.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
requires administrative, physical and technological safeguards, and tries
to spell them out. The downside is they were written in the early 2000s.
“They’re ancient history,” she says, but they are required by law, so
businesses are forced to meet them despite newer defenses created in the
meantime that might be better to protect their current environment. “In a
nanosecond it can change.”

HIPAA allows up to $50,000 sanctions per incident for willful neglect by
the entity that suffers a breach, Straight says. The problem is that
willful neglect has an unclear definition, so it’s hard to know. Penalties
can be more severe and include prison terms. “It’s very difficult for
federal regulators to provide specific information on what you need to do
to fulfill regulators’ requests,” Straight says.

Terminology is vague enough to begin with – such as requiring “reasonable
efforts” and “appropriate security programs” to keep data safe – but what
that means in practice can change. “It’s a very unsettled time” he says.

The credit card industry has its own standards known as payment card
industry data security standard (PCI DSS). As a practical matter, being PCI
compliant doesn’t help, Straight says. “That’s the joke in the security
industry – no company that’s compliant with PCI DSS has ever been breached
because a re-audit finds they were not complaint at the time of the
breach,” he says. I’m not aware of any that’s been certified compliant at
the time of a breach.”

Corporate security pros have to worry about not only whether the defenses
they create meet industry standards, but also whether they adequately
defend information on the network, says Torsten George, a vice president
for security firm Agiliance. Increasingly that includes whether the
defenses withstand legal scrutiny of class-action lawsuits brought by those
whose information becomes compromised.

Even as the consequences for corporate data breaches get stiffer and
stiffer it is accepted as inevitable that all business networks will be
breached eventually, putting executives in charge of protecting these
networks in a pickle.

“Yes you will get breached even if you have a definite in-depth strategy,”
says George. “This is a reality nowadays. There is no 100% protection.”

In order to survive the scrutiny of regulators, other enforcement agencies
and the courts, security pros should make sure their defenses go beyond
merely following standards by rote, Straight recommends. Ask, ‘Am I
actually protecting the information I should protect?’” he says.

Structurally, security officers such as CSOs shouldn’t report to the CIO
because they have conflicting duties, he says. The CIO is responsible for
design of networks and ensuring uptime for information to be used. CSOs'
job includes restricting that access.

Corporate security execs should carefully document the defenses they do put
in place. “No matter what we do at some point there’s going to be intense
scrutiny on what we do. We’ll have to sit in front of our colleagues and
explain how the security program is adequate,” Straight says.

Despite the best efforts, hassles with the law will become a long-term
nightmare for companies that suffer loss of customer data. “Technical
remediation is relatively straight forward,” Straight says, “legal fallout
will take years.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!