New laws regarding data security come with greater penalties if you are found negligent in protecting that data, and ignorance of these laws is no defense. You might be incarcerated or lose your current job (greatly diminishing your chances of future employment). All those great people you used to work with may meet you in the unemployment line if your old company is sued out of business. If your responsibility includes security, then you may be the first to go, but all "C" level executives are vulnerable under these new laws. The laws we'll discuss are the result of dramatic increases in the loss of personal and financial information from cyber crimes. However, the laws include any loss of information, even if it is stolen the old fashioned way, such as taking it from the copier room. Don't be too confident -- this can happen to any company at any time. Even the most secure environments are vulnerable to the after-hours cleaning crew as well as the savvy computer hacker.

You're increasingly vulnerable to cyber crimes. Just look at the information from reported intrusions, according to the latest study of large corporations and Government Agencies conducted by the Computer Security Institute (CSI) and the FBI:

• 90 percent of respondents detected computer security breaches within the past 12 months
• 80 percent acknowledged financial losses due to computer security breaches
• 44 percent of 223 respondents quantified their losses at nearly $446 million
• only 34 percent reported the intrusions to law enforcement
• MasterCard had their first intrusion in 1999 -- today they have one every 10 minutes

As if these figures are not discouraging on their own, consider what is happening as more and more people gain access to the Internet and the tools for hacking become more sophisticated:

• The vulnerability of systems is doubling each year
• The number of reported attacks is doubling each year
• The number of attackers and their level of sophistication are increasing every year
• Many Internet sites provide the code necessary to hack systems and exploit flaws in packaged software
• The time between finding a flaw and producing the patch has shortened, but so too has the time in which hackers get the exploit code on the Internet
• The speed with which an attack can infiltrate the Internet is also increasing -- what took 24 hours two years ago can now be accomplished in 30 minutes (and that's getting shorter, too)

All of these converging negatives create an atmosphere for "The Perfect Storm" in cyber crime. According to the AON Financial Services Group (2002), "Given that over 70% of the market capitalization of the Fortune 500 companies is attributed to information assets (Forester Research), 1.4 billion e-mails are sent every day (Nielson/Netratings), and there was almost $1 trillion in 2001 online B2B sales (Jupiter Communications), it is no wonder that entities are expected to spend $14 billion by 2005 fending off cyber intruders (International Data Corporation)."

Cyber crime is growing. More importantly, cyber crime is so different that traditional crime-fighting techniques cannot be applied. Huge cyber crime acts overwhelm incident-response teams; such teams are particularly crippled by the high percentage of "false positives" reported. Another complicating factor: the global nature of the crime. Tracking down criminals is futile for all but the largest crimes (for example, the theft of $30 million or more). Even in such cases, where would the criminals be tried - in the jurisdiction of the victim, the criminal, the victim's servers, or the criminal's server? Even worse are the chances of collecting a judgment against a group of hackers.

Fortress-style security and crisis management models do not work. Physical security organizations operating apart from data security efforts, another traditional approach to combating crime, don't work.

Meanwhile, legislation and regulations are forcing companies of every type to re-think how they protect their information assets, especially employee and customer information. The legislation calls for greater penalties when companies fail to protect certain types of information.

The following summary of the recent legal and regulatory issues that you and your company must comply with is adapted from Marsh & McLennon Companies' Risk Alert, "Information Risk - Protecting Your Organization in a Networked World."

California Senate Bill 1386 (July 2003)
Senate Bill 1386, also known as Assembly Bill 700, requires an agency that owns or licenses computerized data containing personal information to disclose when there's a breach in a system's security. If the agency maintains computerized data, but does not own the data, the agency must notify the owner or licensee of the information about the breach. This disclosure must be made as expediently as possible, without unreasonable delay, to any individual whose unencrypted personal information was or may have been accessed by an unauthorized person.

Notification can be delayed if a law enforcement agency determines it would impede a criminal investigation. However, notification must be made once it has been determined that it would not interfere with the investigation. Notification can also be delayed if the agency's standard is to first determine the scope of the breach and restore the integrity of the data system.

This bill defines "breach of the security of the system" as unauthorized access to computerized data that would compromise the security, confidentiality, or integrity of personal information. This bill defines "personal information" as a person's first and last name in combination with one or more of the following: Social Security number; driver's license number or California Identification Card number, credit card number, or debit card number, along with the required security code, access code, or password.

You must make notification by written, electronic, or substitute notice. A substitute notice can be made if the agency demonstrates that the costs to provide the notice would exceed $250,000, or that the affected class of persons exceeds 500,000, or when the agency does not have sufficient contact information. The act requires notification when there has been a suspected (not actual) compromise. Although this law only applies to California at this time, US Senator Diane Feinstein (D-Calif.) is circulating a draft called the Database Security Breach Notification Act modeled after the California law.

Sarbanes-Oxley Act (2002)
Upon first reading, it might appear that this legislation addresses corporate accountability, but it is pointed directly at information security. This act increases the responsibility of corporate audit committees and limits non-audit services (including information systems consulting services) that an auditor may offer to its clients. It also increases the penalties for violations of securities law and other laws, allowing them to be levied against individuals, not just corporations.

The principal executive and financial officers of corporations are now required to establish and maintain internal controls that ensure the accuracy of the information in financial reports and to evaluate those controls no earlier than 90 days prior to the date of the report. It is therefore essential to prevent unauthorized access and tampering with information.

Gramm-Leach-Bliley Act (1999)
This act is also known as the Financial Services Modernization Act and GLBA. It is designed to protect consumers' privacy and secure information. A company that fails to comply with GLBA provisions may be the target of enforcement actions, civil penalties, governmental fines and penalties, and cease-and-desist orders. Among the issues covered by the act:

• Financial institutions must clearly disclose their privacy policies with regard to sharing nonpublic personal information with both affiliates and third parties.
• Financial institutions must notify consumers of, and provide them with, an opportunity to "opt out" of the institutions' sharing non-public information with nonaffiliated third parties, subject to certain limited exceptions.
• Financial institutions must disclose their privacy policy when they first establish customer relationships with consumers and not less than annually thereafter for the duration of the relationship.
• The Federal Trade Commission, the federal banking agencies, the National Credit Union Administration, and the Securities and Exchange Commission have the authority to enforce the regulations.

A substantial portion of the GLBA speaks to the sanctity of personal information and the necessity for financial institutions to protect it. Principal executives and board directors may be held personally liable for practices that are viewed as negligent.

The Health Insurance Portability and Accountability Act of 1996
The federal government has made privacy of patient information a top priority. Healthcare organizations had until April 2003 to comply with the privacy regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The privacy rules will apply to healthcare providers and health plans, health-care clearinghouses, and organizations that have access to patient records and finances.

In addition to HIPAA, healthcare organizations must comply with existing common law and statutory and regulatory protections under state laws safeguarding the privacy of individuals' medical information. They will also have to comply with a wide array of security requirements, such as certification, data back-up plans, personnel security, virus checks, and authentication procedures.

What Can You Do?
In addition to the obvious technical remedies, employee and management awareness is critical to avoid "social engineering" forms of intrusion. This involves detailed policies and procedures, along with the associated training efforts.

Mike Rogers, Information Protection Officer of the Automobile Club of Southern California says, "You need to establish the appropriate level of paranoia within your organization." Employees should not be so frightened they are ineffective, but they need to understand that the penalties can apply to them as well, and they can be severe.

You need a formalized plan that encompasses both proactive deterrence and early detection:

• Convert physical access control systems to communicate directly with the corporate data network
• Conduct threat assessments using physical security and data security on the same task force
• Monitor network events and file access events to identify suspect events
• Populate an investigation database with suspect events and share results with such parties as competitors, law enforcement, and online security clearing houses
• Promote and publicize that you share your data to deter criminals
• Use your network monitoring as a management system for documenting corporate policies, involving employee security practices
• Insure your company against losses using a proactive security approach to help you qualify for insurance, reduce your premium, and mitigate the risk that is excluded from your insurance coverage
• Develop and maintain incident response plans
• Preserve evidence but know that enforcement, prosecution, and collection are unlikely

The combination of increased cyber crime and new legislation has dramatically increased your risk: damages can come from the loss or theft itself followed by class action suits with serious (possibly catastrophic) penalties.

Prepare a five-year plan customized for your organization. This plan, along with annual progress, proves that "reasonable efforts" are underway to protect the organization. In turn, this could protect you against the legal liability of being found negligent in performing the duty of protecting information that is covered by the new legislation and regulations.

Jim Robins is Managing Partner of Tatum Partner's Technology Leadership group and responsible for their eCrimes practice area. He has 35 years of international IT experience including work in security, e-commerce, CRM, SCM, data warehousing, and disaster recovery. He can be reached at jim.robins@tatumcio.com. Dr. Joel Rakow is the eCrimes Practice Leader for Tatum Partners with over 15 years of IT experience. He is a member of the FBI Infragard organization and the Advisory Committee for the Los Angeles Electronic Crimes Task Force, an advisor to the U.S. Secret Service, and a former law enforcement officer. He can be reached at joel.rakow@tatumcio.com. You can contact Jim Robins and Dr. Joel Rakow about Security Basics: New Data Security Laws Carry Greater Consequences at editor@riskanalysisgroup.com

This article was previously published in Enterprise Systems by 101 Communications, August 20th, 2003. Reprinted with permission.

Discuss this article! Post your thoughts to RAG's message boards. If you have not used the RAG website before, you will be asked to create a user profile. The message boards are currently free for all users.

Integrated Risk Management Strategies:
From the Front Gate to the Hard Drive.

Presented by former U.S. Secret Service agents and other nationally recognized security specialists, this comprehensive two-day seminar offers practical solutions for preventing harm to staff, property, and information assets.

Earn CPP, CISSP, CLE, CLSD, PHR, SHRP and other continuing education Credits!

Space is limited! Sign up NOW!

Boston
November 3-4, 2003
Hilton Hotel@MIT
617-577-0200

Phoenix
December 15-16, 2004
TBA

Dallas
February 24-25, 2004
TBA

Atlanta
March 23-24, 2004
TBA

Chicago
April 22-23, 2004
TBA

For additional information or to register,
click here or call us at (877) 558-5559 or (818) 501-3297.

2 Day Executive Protection Agent Training Course
presented by Joseph A. LaSorsa, CPP (Former Secret Service)

This seminar will provide basic knowledge of the "Art of Executive Protection" ala the style of the "U.S. Secret Service".

Fort Lauderdale
Nov. 3-4, 2003
Holiday Inn
954-563-5961

For additional information or to register,
click here.

Career Opportunities
Looking for your next great opportunity? Not looking but open?

Add your resume confidentially to the Risk Analysis Group Resume Database.

Our placement experts will contact you with exciting opportunities.

news.com
Sept. 23, 2003
"Federal agencies tackle software security"

news.com
Sept. 23, 2003
"Jury convicts man in DMCA case"

news.com
Sept. 19, 2003
"Waiting for a digital September 11th"

CSO Online
September, 2003
"The firing line"

CSO Online
September, 2003
"The evolution of a cryptographer"

Risk Analysis Group is dedicated to providing information and resources to security-conscious professionals.

As a RAG member, you will have access to:

• The advice and experience of experts
• Research, white papers and presentations to get your security programs funded
• Education and training seminars
• Networking opportunities and information on career advancement opportunites
• Special Interest Groups (SIGs)
• Discounts at all Risk Analysis Group events and most external events
• Preferred pricing on all RAG services

"I will definitely recommend this seminar. To have an understanding of the operational and security concerns that spread across an organization is essential to anybody who wants to do a good job in risk management."

- Diana Rich, Director of Risk Management - RemedyTemp, Inc.

"I have been a member of ASIS since 1990 and have attended numerous security seminars in which they typically tell you about what has happened in the past... Risk Analysis Group taught me about what is happening now, and what I need to be aware of for the future. RAG also understands that one person can't know it all - and they have brought in several different speakers who are experts on different areas of security.

"Now that I know how valuable Risk Analysis Group's course is, I am going to recommend my company's executive and HR team attend as well."

-Jonathan McBride, CPP, Security and Safety Director, Innotrac (Reno, NV)