Category Archives: Network Security

PC World: Self-Encrypted Drives Set to Become Standard Fare

Although they have been out now for a few years, it is only recently that manufacturers have decided to mass market self-encrypting hard drives, i.e., drives that have integrated keys within their chip set.  According to standards experts quoted in a recent PC World article, in a few years, companies will be relying on self-encrypting drives “and you won’t even realize it-because it will be so pervasive. The encryption just works, it doesn’t impact you.”

Companies looking to better navigate notification breach safe harbors and any recently enacted security standards should take an immediate hard look at deploying laptops, desktops, and storage devices using this relatively painless way of encrypting sensitive data.  That hard look should especially be taken by firms looking to comply with state laws such as the Massachusetts Data Protection Law or steer clear of possible penalties available under the HITECH Act.

NJ Supreme Court: Fired Employee Can Use Stolen Confidential Documents

In a decision that might have significant ramifications in future discrimination and whistle-blower lawsuits, the New Jersey Supreme Court  ruled in Quinlan v. Curtiss-Wright Corp., No. A-51-09 (N.J. Sup. Ct. Dec. 2, 2010) that an employee who copied 1,800 of pages of documents that she came upon during the normal course of her work — many with confidential information — could share them with the  attorney representing her in a lawsuit against the employer.  The Supreme Court allowed the usage of these documents even though the plaintiff signed her employer’s standard confidentiality agreement that bars employees from using confidential information for private use.

According to the dissent:

From this point forward, no business can safely discharge an employee who is stealing highly sensitive personnel documents even as she is suing her employer and disregarding the lawful means for securing discovery. Moreover, lawyers may think that, even after they have initiated a lawsuit, they can accept pilfered documents and benefit by using them to surprise an adversary in a deposition rather than abide by the rules of discovery.

Although the decision did reaffirm the ability of an employer to fire an employee for the theft of confidential documents, it provides for a potential safe harbor to the extent such documents are used in a subsequent suit for discrimination.   Newspapers as well as law firms have written on the decision, including Lowenstein Sandler, Proskauer Rose, Jackson Lewis, and Fox Rothschild.

Commentators have suggested that employers implement comprehensive confidentiality policies that are  communicated firm-wide and uniformly enforced.  Although that is certainly sound counsel, it is also suggested that adequate security measures be implemented that allow employers to prevent or at least track the copying and removal of over one thousand documents.  Moreover, although not discussed in either the ruling or subsequent  commentaries, there is only a minor leap to be made to extend this holding to whistle-blower suits.  Although choice of law issues remain untested, the new Dodd-Frank’s whistle-blower provisions — which allow employees to obtain significant rewards for providing information to law enforcement authorities about violations of the federal securities laws, the Foreign Corrupt Practices Act, the Investment Advisers Act and the Investment Company Act — may even be in play.   Bottom line:  New Jersey employers need to review their data security and confidentiality policies to address this new decision.

The Red Flag Program Clarification Act of 2010 Passes House and Senate

Looking to beat the end of the year enforcement deadline, the Senate (on November 30, 2010) and the House (on December 7, 2010) have now both voted to pass a law that would limit the scope of the FTC’s Red Flags regulations.  Although the ABA lawsuit seeking to exempt lawyers from the scope of these regulations is on appeal, it appears as if that suit will soon be dismissed as moot.

First introduced by Sen. John Thune, The Red Flag Program Clarification Act of 2010, S. 3987, would define a creditor as someone who uses credit reports, furnishes information to credit reporting agencies or “advances funds…based on an obligation of the person to repay the funds or repayable from specific property pledges by or on behalf of the person.”  Sen. Thune’s web site statement regarding the regulations states that action was necessary given the FTC was threatening small businesses with its regulations. 

As written, the existing law applies to “creditors,” a term the FTC interpreted broadly to include professionals who regularly deferred payment on services.  The FTC had delayed enforcement of these regulations numerous times due to pressure by the ABA and AMA given that the sweeping nature of the regulations would take into account professionals who would incur significant costs to address a perceived slight exposure.   As recognized on the House floor by Rep. John Adler (D-N.J.),“When I think of the word ‘creditor,’ dentists, accounting firms and law firms do not come to mind.”

Lost on many is the fact these regulations will remain in force and will still impact business owners throughout the country, including financial institutions, car dealers, contractors, utilities, phone providers, retailers (if financing is provided), mortgage brokers, etc.  Moreover, even if a business may no longer be “technically” within the rubric of the regulations, it may be a good best practice to still comply.  For example, an ID theft victim may look to the FTC Red Flags regulations to help determine a baseline reasonableness standard.  Although estimates of compliance costs range from $1,000 to $1,500 for small business owners, this amount may pale when compared to the expenses incurred in defending a data breach claim.

[Update:  December 18, 2010]
President Obama signed the Act into law.

Ponemon Institute: Lost Laptops Cost Billions

The Ponemon Institute’s latest report, “The Billion Dollar Laptop Study,” shows that 329 organizations surveyed lost more than 86,000 laptops over the course of a year.  Based on these findings and an earlier survey that put the average cost of lost laptop data at $49,246, the total cost amounts to more than $2.1 billion or $6.4 million per organization.

Some other key findings of the report:  (1)  while 46 percent of the lost systems contained confidential data, only 30 percent of those systems were encrypted; (2) only 10 percent had any other anti-theft technologies; and (3) 71 percent of laptops lost were not backed up so all work in progress was lost.

At the release media event reported on by InformationWeek, Larry Ponemon explained that most of the cost “is linked to the value of intellectual property on these laptops and the fees associated with data breaches and statutory notification requirements.”   During this same press conference, Ponemon recounted interviewing one woman at a company who had lost 11 laptops in two years:  “She claimed she wasn’t really that careful with laptops because the only way she could get a better one was to lose it.”

It is this disconnect — the value of the information lost vs. the relative interest in the user in protecting such information — that becomes the ultimate challenge faced by most firms.   Employee training remains the front line in addressing this challenge but having employees pay for their lost corporate laptops may actually yield more desirable results.   It would be interesting to have the next Ponemon lost laptop study include the ratio of lost business laptops compared to lost personal laptops, i.e., those actually purchased by an employee.

IW: CIOs See Smartphones As Data Breach Time Bomb

As recently reported by InformationWeek, a study conducted by market researcher Ovum and the European Association for e-Identity and Security found that eight out of 10 CIOs believe using smartphones in the workplace increases their firm’s vulnerability to attack.  Although these CIOs rank data breaches as their top related security concern, half of the organizations acknowledge that they fail to provide some basic security measures for the use of smartphones.

This report should be of major concern to doctors and lawyers — two groups of professionals that rely heavily on the use of smartphones to manage their workloads.    At the very least, an easily applied security precaution for smartphones should be the use of a strong password that is changed every 60 days or sooner.  Two-factor authentication is preferable.   Users should back up data regularly and not have it remain solely on a mobile device – unfortunately, default settings can have the communications emanating from your mobile device remain resident solely on a mobile network.  Make sure your mobile device is equipped with anti-virus protection and if you receive an e-mail from a company or person that you’re not familiar with, do what you do on your work computer – just delete it.   Use your idle timer feature to lock down your smartphone as you would your laptop.  

If you have an IT support team (in-house or outsourced), make sure it keeps your operating system and server patches up to date and strictly enforces what applications can be used and what connections can be accessed.   What OS is even used may impact security.   For example, researchers have recently discovered flaws in the WebOS smartphone platform that could let an attacker build a mobile botnet or execute other remote attacks.  More advanced security features include the use of remote wiping applications, encryption and data loss/leak prevention tools.  

Notwithstanding the fact it can also place a call, the key to improving your security posture is to respect the fact your mobile smartphone is now no different from any other computer you use at work.  Act accordingly.

ABA: Law firms are Likely Targets for Attacks Seeking to Steal Information off Computer Systems

According to a recent ABA Journal article, the global digital infrastructure is under siege and law firms are to some extent on the front lines given the vast amounts of sensitive data they process and maintain.  Bradford A. Bleier, unit chief to the Cyber National Security Section in the FBI’s Cyber Division, is quoted in the article:  “Law firms have tremendous concentrations of really critical private information” and breaking into a firm’s computer system “is a really optimal way to obtain economic and personal security information.”  Philip Reitinger, the director of the National Cybersecurity Center in the Department of Homeland Security, believes this threat is increasing for two different reasons.   First, he said, “the skill level of attackers is growing across the board.” And, secondly, the nation’s networks of computer systems are becoming more connected and complex all the time, “and complexity is the enemy of security.”  Marc Zwillinger, a founding partner of Zwillinger Genetski, recognized another obvious problem for law firms:   “Lawyers haven’t been as diligent with security as some of the institutions that gave them information.”

After sufficiently spreading the FUD (fear, uncertainty, and doubt) throughout, what does the ABA author suggest as a solution.  Well, not much of note.  It is suggested that firms change their culture to be more in tune to security – which will likely need to be done from the top down given most managing partners, according to the author, have little time with sophisticated passwords and things that might otherwise slow them down.   It is also suggested that data be segregated and that encryption be deployed. 

The most relevant bit of information from the article actually was added in the sidebar and builds on Marc Zwillinger’s suggestion that a client’s security is usually more evolved than that of its law firm.    The author’s sidebar comment points out that clients may soon be auditing their law firm’s security.  Given that lawyers have been helping clients with technology due diligence for years now and have also been advising  on the use of audits, it is not much of a stretch to expect one law firm to recommend auditing another firm.  Those law firms in front of this issue will not only keep existing clients – they will also be in great shape to potentially win new ones.   Afterall, what law firm would suggest such an audit if it did not already deploy a sophisticated security infrastructure of its own?

Study: Electronic Theft Costs More Than Physical Theft

In a recently published study conducted by security firm Kroll, findings showed electronic and information theft are at 27.3 percent of total fraud losses while physical theft at 27.2 percent.  Although this is statistically a dead heat, the fact that it is even close is significant for all companies looking to curtail fraud costs.  Interestingly, China had the highest level of fraud, with 98 percent of businesses affected, and Colombia and Brazil came in next, with 94 percent and 90 percent respectively.  

According to Kroll, “information-based industries reported the highest incidence of theft of information and electronic data over the past 12 months. These include financial services (42% in 2010 versus 24% in 2009), professional services (40% in 2010 versus 27% in 2009) and technology, media and telecoms (37% in 2010 versus 29% in 2009).”

There are two common sense takeaways from this recent study — devote the right resources (including training) to avoid electronic theft and fraud and ensure the right security and vetting processes are in place when doing business in emerging markets, especially if your firm holds a good deal of sensitive data.  Although both suggestions may seem obvious it often takes the cumulative impact of these surveys and anecdotal evidence to really push the risk management needle.

FBI Warns “Here you have” Worm Hits Agencies and Businesses

Here is an FBI warning that was sent out yesterday to all FBI agents and FBI Infragard members.  It is worth repeating verbatim.

From: HQ INFORMATION TECHNOLOGY BRANCH
Sent: Sat Sep 11 22:08:33 2010
Subject: Computer Security Alert

A new Computer “worm” attacked several federal agencies and Fortune 500 companies yesterday.  The malicious email messages contain the subject line “Here you have” or “Just For You” and contain a link to a seemingly legitimate PDF file. If users click on this link, they will be redirected to a malicious website that will prompt them to download and install a screensaver (.scr) file. If they agree to install this file, they will become infected with an email worm that will continue to propagate through their email contacts.

Even though we are protected, sometimes the adversaries change the email to look a little different so they can get past defenses.  The Bureau is asking all users to carefully watch your emails here at work and on your home machine.  To reduce the risk of compromising your FBI workstation, be alert for unsolicited e-mail messages and keep in mind the following traits common to malicious e-mail messages:

  • Subject matter related to recipient’s work, possibly containing actual U.S. Government information
  • A sense of urgency to convince the recipient to open an attachment or click a link within the message
  • Convincing content such as upcoming meeting agendas, reports, information on current events or policy issues
  • Seemingly-legitimate sender (government and commercial addresses, including @fbi.gov) using legitimate signature and contact information
  • Receiving an email with just a link
  • An attachment (typically a .pdf or .zip file) or link

Thank you for your assistance and vigilance in protecting the FBI’s networks.

Enterprise Security Operations Center (ESOC)

JEH-HQ

HITECH Public Data Breaches: Majority Caused by Theft

Last month, the Health Information Trust Alliance published an analysis of the 108 breaches reported to HHS from Sept. 23, 2009 (when reporting first started under the HITECH Act) to mid-July.  This review illustrates the major impact of theft on healthcare providers.   Of 108 total reported breaches, 68 were the result of theft.  Indeed, the only type of breach experienced by every healthcare industry sector was theft.   The most common thefts involved laptops and removable data drives and devices.   The majority of the data found on these devices remains unencrypted.  This lack of encryption is significant given that, as with the breach notification laws in most states, there is a notification safe harbor under the HITECH Act implementation regulations whenever the stolen data is encrypted. 

This review of HHS reported breaches highlights what risk managers have likely known for some time now, namely that it is important to better train employees regarding the use and maintenance of laptops/memory devices.  Although not nearly as “top of mind” as better training, risk managers are now understanding the value in deploying system-wide encryption solutions.  There is obviously much less likelihood of the breach turning into a major financial incident when there is no notification.  In other words, whether the added expense of encryption — both financial and time-driven — is worth it to a healthcare provider gets answered each day there is another publicly noticed breach.

AON Disclosure Impacts 22,000 Retirees

According to a story published today in the News Journal, Aon Consulting is mailing letters to approximately 22,000 State of Delaware retirees after it inadvertently posted social security numbers, gender information and dates of birth in a Request for Proposal (RFP) the company prepared for the State.  The RFP information was posted by AON to the procurement section of the Delaware website for five days before it was discovered and removed.  This is not the first data breach for Aon Consulting.  In May 2008, an AON laptop containing the names and Social Security numbers of 57,160 people related to a Verizon engagement was stolen from a New York City restaurant. The laptop was never recovered.

Moreover, it is not the first time a global broker has compromised client data.  On May 9, 2006, a Marsh subsidiary lost a personal computer containing records of more than a half million New Yorkers.  The lost data includes social security numbers and dates of birth.   And, in 2008, Willis lost a data tape in India that contained data belonging to numerous clients who, in turn, had to report to their clients

These events are a stark reminder that no one is 100% immune — even those who are in the risk management business are vulnerable to a data breach.  Indeed, Marsh, AON and Willis are the three largest brokers in the world and have built over the years very sophisticated risk management practices to assist clients address their exposures.   Accordingly, the message here is not to think any less of these brokers but rather to recognize the magnitude of the challenges faced by all firms when  managing data risk.  In other words, if a breach can hit these folks, it can hit just about anyone.