Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Data Leak Prevention: Proactive Security Requirements of Breach Notification Laws - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Data Leak Prevention: Proactive Security Requirements of Breach Notification Laws

I'm beginning to prepare for a talk I plan to give at SANSFIRE 09 on Data Leak Prevention. The talk will basically cover both lost of trade secrets and the loss of NPI (covered seperately because the risk profiles are different). As part of the research I've been looking at breach notification laws of the various states (which also seem to be used as models for other countries).  The particular interest I have is in the proactive requirements that the laws seem to imply and exactly what that means.  First, breach notification laws are written to require businesses to report the potential acquisition of NPI (non-public information) by unauthorized entities.  The define NPI as basically being name plus any of the following (sorry, this is US-centric but what follows applies anywhere):

  • National Identification Number (or you may euphamestically refer to it as a Social Security Number)
  • Driver's License Number
  • Financial Account number (whatever information is required to commit fraud, and in some cases, just the number)
  • Medical information
  • Health insurance information

To clarify, financial account number could be a bank account number (with routing number), credit card number, or debit card number.  Some states require whatever requisite PIN there may be (not applicable with bank account numbers), some states require just the financial account number. If that information is compromised, a notification needs to be sent to consumers in a timely basis.  This makes sense because the company won't be the victim of fraud, the consumer will be.  So the regulation is efficient because it deals with counteracting an externalizing incentive (a little love for those economists out there who get what I just said.)  The notification part is pretty straight forward, that's not what I'm talking about here.

The laws also require both an information security program (undefined) and "reasonable security measures" to prevent the acquisition of NPI data.  This part, at least in the law, is almost intentionally "squishy". While it is probably best that legislators don't spell out technical controls in detail in statute, it makes the task of compliance a bit harder.  However, there are a couple of breach notification enforcement actions that spell out at least what the FTC and the various state Attorney Generals believe "reasonable security measures" include, and it's safe to assume that they will approach future breaches with the same, if not more stringent, standard.  What appears to be what they define as reasonable security measures are:

  • Use of encryption with data at rest and in transit, both within and outside the organization
  • Limiting access to wireless networks
  • Use of strong passwords (and multiple passwords) for administrators to access systems and networks
  • Limit access of internal systems to the internet
  • Employ measures to detect and prevent unauthorized access
  • Conduct security investigations, as appropriate
  • Patching and Updating of anti-virus
  • Requiring periodic changes to passwords
  • Locking accounts after too many failed attempts at logging in
  • Storing credentials in insecure formats (i.e. cookies in the clear)
  • Use of secure transit for credentials (i.e. HTTPS / SSH)
  • Forbidding sharing of accounts
  • Regular assessment of networks and applications for security vulnerabilities
  • Implementing defenses to well known attacks
  • Inventory of NPI data stored, on what servers, for what purposes
  • Secure deletion of NPI once it is no longer needed



262 Posts
ISC Handler
Apr 24th 2009
One thing people may not realize is that the new Massachusetts law covers paper and electronic records. It also says that a name in conjunction with an account number WITH OR WITHOUT the PIN to access the account is confidential data. That means you have a notification-required breach if you do something as easy as mail a monthly statement to the wrong person because your automatic sorter messed up.

Older laws allowed financial institutions an "out" from the state laws if they were in compliance with their federal regulator's requirements (which pretty much do not exist). Newer state laws have eliminated that loophole mandating that at least the state government get notified. I have a feeling a lot of financial institution breaches used the older loophole to stay quiet.

Sign Up for Free or Log In to start participating in the conversation!