Post on 20-Aug-2015
transcript
California Data Privacy Laws: Is Compliance Good Enough?
May 2010
Chris MerrittDirector Solution Marketing
Today’s Agenda
Data Protection in California … and Beyond
Achieving Compliance … or Security?
How to … Move Beyond Compliance
How Lumension Helps
Data Protection in California… and Beyond
2009 Fraud & ID Theft Data
4
Source: FTC Consumer Sentinel Network (CSN) 2009 Data Book, Feb 2010Source: FTC Consumer Sentinel Network (CSN) 2009 Data Book, Feb 2010
2009 Fraud & ID Theft in California
5
Total Number of Identity Theft, Fraud and Other Consumer Complaints = 165,033Total Number of Identity Theft, Fraud and Other Consumer Complaints = 165,033
California Data Protection Laws
Medical Information
• AB 1298 (January 2008)
• Expands …» application of the Confidentiality of
Medical Information Act (CMIA) to any business handle medical information
» definition of PII to include medical information
• Penalties include …» individual – $1,000 per violation, plus
damages and court costs» civil – from $1,000 to $250,000 per
violation» considered a misdemeanor
• Example …» Nadya Suleman (aka ‘Octomom’) case
6
CA Civil Code
§§ 56.06CA Civil Code
§§ 56.06
California Data Protection Laws
Consumer Credit Reporting Agency
• SB 168 (Jul 2002)
• Requirements» Allows consumers to ask for a “credit
freeze”» Prohibits exposing SSNs (print, clear-
text transmission, etc.) or requiring SSNs for identification
• Augments the rest of §1785, covering Credit Reporting / Usage …
» address matching» verification of no ID Theft / Fraud» cannot sell debt in cases of ID Theft» fines for ID Theft / Fraud» and much more
7
CA Civil Code
§§ 56.06CA Civil Code
§§ 56.06CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1785.11.2
California Data Protection Laws
8
CA Civil Code
§§ 56.06CA Civil Code
§§ 56.06CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1798.29CA Civil Code
§§ 1798.29CA Civil Code
§§ 1798.82CA Civil Code
§§ 1798.82
Protecting PII (State Agencies and Businesses)
• SB 1386 (Jul 2003)
• Requirements» Covers any CA business or businesses with CA customers, and their vendors» Covers PII (first / last name, address, tel. no., acct. no., PIN, SSN, etc.)» Requires notification if there was “or is reasonably believed to have been” a breach,
unless data are encrypted (with some caveats)
First State Data Breach Notification law in US, and model for many that followed
Other State Data Protection Laws
9
CA Civil Code
§§ 56.06CA Civil Code
§§ 56.06CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1798.29CA Civil Code
§§ 1798.29CA Civil Code
§§ 1798.82CA Civil Code
§§ 1798.82
Massachusetts
201 CMR 17Massachusetts
201 CMR 17Nevada
Chap. 603ANevada
Chap. 603A
Massachusetts –• covers all businesses with MA
customers• requires comprehensive written
security plan• requires encryption, firewall,
patching and anti-malware
Massachusetts –• covers all businesses with MA
customers• requires comprehensive written
security plan• requires encryption, firewall,
patching and anti-malware
Nevada –• codifies PCI-DSS• provides “safe harbor” if data are
encrypted or if compliant w/ PCI
Nevada –• codifies PCI-DSS• provides “safe harbor” if data are
encrypted or if compliant w/ PCI
Other Federal Data Protection Laws
10
CA Civil Code
§§ 56.06CA Civil Code
§§ 56.06CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1798.29CA Civil Code
§§ 1798.29CA Civil Code
§§ 1798.82CA Civil Code
§§ 1798.82
Massachusetts
201 CMR 17Massachusetts
201 CMR 17Nevada
Chap. 603ANevada
Chap. 603ASarbanes-Oxley
(SOX)Sarbanes-Oxley
(SOX)
Gramm-Leach-BlileyAct (GLBA)
Gramm-Leach-BlileyAct (GLBA)
FACTARed Flag Rules
FACTARed Flag Rules BSA / AMLABSA / AMLA
HIPAAHITECHHIPAA
HITECH
Other Data Protection Regulations
11
CA Civil Code
§§ 56.06CA Civil Code
§§ 56.06CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1798.29CA Civil Code
§§ 1798.29CA Civil Code
§§ 1798.82CA Civil Code
§§ 1798.82
Massachusetts
201 CMR 17Massachusetts
201 CMR 17Nevada
Chap. 603ANevada
Chap. 603ASarbanes-Oxley
(SOX)Sarbanes-Oxley
(SOX)
Gramm-Leach-BlileyAct (GLBA)
Gramm-Leach-BlileyAct (GLBA)
FACTARed Flag Rules
FACTARed Flag Rules BSA / AMLABSA / AMLA
HIPAAHITECHHIPAA
HITECH
PCI-DSSPCI-DSS
NERCNERC
International Data Protection Laws
12
CA Civil Code
§§ 56.06CA Civil Code
§§ 56.06CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1798.29CA Civil Code
§§ 1798.29CA Civil Code
§§ 1798.82CA Civil Code
§§ 1798.82
Massachusetts
201 CMR 17Massachusetts
201 CMR 17Nevada
Chap. 603ANevada
Chap. 603ASarbanes-Oxley
(SOX)Sarbanes-Oxley
(SOX)
Gramm-Leach-BlileyAct (GLBA)
Gramm-Leach-BlileyAct (GLBA)
FACTARed Flag Rules
FACTARed Flag Rules BSA / AMLABSA / AMLA
HIPAAHITECHHIPAA
HITECH
PCI-DSSPCI-DSS
NERCNERCUK Data
Protection ActUK Data
Protection Act EU DirectivesEU Directives Basel IIBasel II
Proposed Federal Data Protection Laws
13
CA Civil Code
§§ 56.06CA Civil Code
§§ 56.06CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1785.11.2CA Civil Code
§§ 1798.29CA Civil Code
§§ 1798.29CA Civil Code
§§ 1798.82CA Civil Code
§§ 1798.82
Massachusetts
201 CMR 17Massachusetts
201 CMR 17Nevada
Chap. 603ANevada
Chap. 603ASarbanes-Oxley
(SOX)Sarbanes-Oxley
(SOX)
Gramm-Leach-BlileyAct (GLBA)
Gramm-Leach-BlileyAct (GLBA)
FACTARed Flag Rules
FACTARed Flag Rules BSA / AMLABSA / AMLA
HIPAAHITECHHIPAA
HITECH
PCI-DSSPCI-DSS
NERCNERCUK Data
Protection ActUK Data
Protection Act EU DirectivesEU Directives Basel IIBasel II
Personal Data Privacy and Security Act
of 2009 (S.1490)
Personal Data Privacy and Security Act
of 2009 (S.1490)
Data Breach Notification Act (S.139)
Data Breach Notification Act (S.139)
Data Accountability and Trust Act
(H.2221)
Data Accountability and Trust Act
(H.2221)
Achieving Compliance… or Security?
Achieving Compliance
• Focus on compliance» Pros – lowered liability, improved
operations, meeting letter of the law» Cons – overlapping requirements,
complicated, always chasing new rules
15
How to deal with this crazy quilt of statutes and regulations?How to deal with this crazy quilt of statutes and regulations?
Achieving Compliance … or Security
• Focus on compliance» Pros – lowered liability, improved
operations, meeting letter of the law» Cons – overlapping requirements,
complicated, always chasing new rules
• But … compliance ≠ security!
16
How to deal with this crazy quilt of statutes and regulations?How to deal with this crazy quilt of statutes and regulations?
Achieving Compliance … or Security
• Focus on compliance» Pros – lowered liability, improved
operations, meeting letter of the law» Cons – overlapping requirements,
complicated, always chasing new rules
• But … compliance ≠ security!
• Need to move beyond mere compliance … to true security
» Cons – more upfront effort» Pros – legal defensibility, better
alignment w/ threats, better protection of all valuable data
17
How to deal with this crazy quilt of statutes and regulations?How to deal with this crazy quilt of statutes and regulations?
How to... Move Beyond Compliance
Four Steps to Security
19
Policy Process
TechnologyPeople
Technology – Defense in Depth
20
3P’s of Security
Policy …• needs to be …
» written down and available» monitored and adapted as needed» end-to-end (data, users)» enforceable / enforced
Process …• reduces workload and eliminates gaps• needs to enable productivity, but
provide security
People …• are your perimeter• need continuous education / training
21
How Lumension Helps
How Lumension Helps
Lumension helps you» Identify data for protection» Protect data from theft» Demonstrate compliance
Lumension solutions» Protect against data theft and data loss» Control the use of applications and devices» Enforce encryption when data is copied to removable media» Automate the collection, analysis, and delivery of patches and
updates» Audit the network for compliance with Data Protection regulations in
California and beyond
23
How Lumension Helps – Encryption
External Device Encryption» Enforce encryption of information transferred to …
• Removable devices (ext. HDs, USB sticks, etc.)• Removable media (CDs, DVDs)
» Control and manage device access through all ports • Physical interfaces such as USB, FireWire, PCMCIA, etc.• Wireless interfaces such as WiFi, Bluetooth, IrDA, etc.
» Control and monitor all devices in network environment• Those connected now or ever• Limit access by user, machine, time, status
» Deliver detailed forensics of device usage and data transfer• Log file metadata (name, type, size, etc.)• Retain copy of entire file
24
Password Protection» Agent-based inventory capability
validates password complexity» Network-based scan detects
password complexity policy option
» Force use of complex passwords» Prevent users from accessing
encrypted devices/media after five incorrect password attempts
25
How Lumension Helps – Password Control
How Lumension Helps – System Security
Comprehensive Endpoint Protection» Lumension AntiVirus provides protection against malware
• Traditional blacklisting• Behavioral analysis capabilities
» Lumension Patch and Remediation provides automated patching• Comprehensive vulnerability assessment• Rapid, accurate and secure patch management• Ensures systems are up-to-date and free from vulnerabilities
» Lumension Application Control guards against unwanted change• Prevents unauthorized / unwanted apps from executing, including malware• Maintain network assets in known state
» Lumension Device Control provides endpoint data protection• Protects against data leakage (theft / loss)• Forces encryption of data transferred to removable devices / media• Prevents malware introduction via removable devices / media
26
How Lumension Helps – Show Compliance
Compliance & IT Risk» Demonstrate compliance to
Data Protection regulations in California and beyond
» Use Lumension Risk Manager to …
• Identify key assets• Assess compliance level of these
assets• Remediate assets to bring them
into compliance• Manage key assets on a
consistent basis
27
2828
Integrated Risk ManagementCompliance Business ImpactRisk ManagementOperational Security
IT Assets Devices Applications Business SubjectsPeople
Integrated Risk Management Console
Co
ntr
ol
Co
nn
ec
tors
LumensionVulnerabilityManagement
LumensionData
Protection
LumensionEndpoint Protection
ConnectorDevelopment
Kit
3rd PartyConnectors
Bu
sin
es
s
Fra
me
wo
rkR
isk
&
Co
mp
lia
nc
e
LumensionSurvey
WorkflowEngine
Lumension Enables Organizations to …» Stay ahead of remote threats» Streamline security and operational management across
heterogeneous environments» Gain visibility into real-time patch status and overall security posture » Save time and cost thru automation» Elevate security posture with full visibility into and control over
endpoints» Address Data Protection regulations in California and beyond with
confidence
29
Summary
Questions?
Resources and Tools
• Whitepapers» Ogren Group Security Analysis Case Study -
Proactively Managing Endpoint Risk» Three Ways to Prevent USB Insecurity In Your
Enterprise» and a host of other Data Protection whitepapers
• Other Resources» Podcasts, Videos, Webcasts» On-Demand Demos» eBooks
• Premium Security Tools» Scanners
• Product Software Evaluations» Virtual Environment» Full Software Download
31
Global Headquarters8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828
info@lumension.com
blog.lumension.com