New laws on the horizon?

keatron

I've been saying since SOX, HIPPA, and GLB hit hard that we were going to eventually see "SOX like" legislation for privatly held businesses/small businesses. Remember you heard it here first!

I see in the future the companies who have managed to skate by with lax security having to step up to the plate. The banks in this article have a darn good argument. It is usually the merchants who end up losing information. And if they're not publicly traded, we may never know about it.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=297167

Pretty much every company holds either credit card info, bank account numbers, or social security numbers in some form or fashion. If this is compromised, it could mean an easier route into a more protected entity, like a bank perhaps. The way this is starting is usually how the government gets involved and lays down the law. The banks are saying they're not to blame, the merchants say they're not because they have to meet PCI standards, and the credit card companies say obviously blame the banks because they are more concerned with GLB than they are PCI. Those of you making the move to security, get ready. I see another tub of opportunity in the near future as some of the stiff security regulations that government agencies, public companies, banks and the medical world have to try and meet (and suffer the embarrassment of public disclosure) makes it's way down to "mom and pop" shops (mine included).

The next 5 years will be very interesting in the security world.

JDMurray

Rather than regulate specific types or tiers of businesses, the information itself should be regulated. For example, any business that must handle SS numbers must abide by specific regulations regardless of its size. Credit and debit card numbers are a problem because they must be handled by even the smallest business. In this case, rather than legislation mandating more protection from the business for numbers, a safer method for performing credit/debit transactions is needed.

Each area of information insecurity has its own special set of problems and mitigations. A blanket piece of legislation that is designed to threaten businesses into adopting more secure patterns of behaviors is not going to be effective--unless the goal is to rake in huge fines from violators and put honest people out of business.

keatron

JDMurray wrote:

Rather than regulate specific types or tiers of businesses, the information itself should be regulated. For example, any business that must handle SS numbers must abide by specific regulations regardless of its size. Credit and debit card numbers are a problem because they must be handled by even the smallest business. In this case, rather than legislation mandating more protection from the business for numbers, a safer method for performing credit/debit transactions is needed.

Each area of information insecurity has its own special set of problems and mitigations. A blanket piece of legislation that is designed to threaten businesses into adopting more secure patterns of behaviors is not going to be effective--unless the goal is to rake in huge fines from violators and put honest people out of business.

I don't see them being threatened to the point of being pushed out of business. Just being made more accountable than currently. Also I think you're being a little extreme there. As with most of this legislation (Sox, HIPPA, and GLB included), there has never been any serious penalties handed out in the first place, so not many if any companies has been driven to the point of going out of business because of HIPAA or GLB, but regardless as to what you might hear, it has been relatively effective. If nothing else, companies have had to look at their security status from an angle they never have before, and through that process (which includes training), they have become more aware of their own existing issues and are working to resolve them. HIPAA, Sox and all the others have repeatedly issued compliance deadlines, then repeatedly extended them. So regardless of what one might think, this pattern shows that the goal is to tighten things down, and increase awareness. I think the short history of these compliance regulations demonstrate that.

Besides, the first "real" HIPAA audit just happened this month.



http://www.itcinstitute.com/display.aspx?id=3729

JDMurray

I'm thinking that any new legislation to protect private data will need to have enforced penalties to be regarded seriously. You are correct that choosing to not abide by HIPAA regulations will not incur any penalties. I worked for a medical software company when the first HIPAA deadline was approaching. We regarded HIPAA compliance as necessary not because we would face penalties, but because it was a bullet point that potential customers would be looking for on our product marketing glossies. If it were not for the HIPAA-compliance demands of our customers, we would not have cared.

Many small healthcare organizations simply do not find it cost effective to achieve HIPAA compliance. If they faced penalties for not doing so, I think that some would opt to change their business model away from healthcare, or discontinue business operations altogether.

keatron

JDMurray wrote:

I'm thinking that any new legislation to protect private data will need to have enforced penalties to be regarded seriously. You are correct that choosing to not abide by HIPAA regulations will not incur any penalties. I worked for a medical software company when the first HIPAA deadline was approaching. We regarded HIPAA compliance as necessary not because we would face penalties, but because it was a bullet point that potential customers would be looking for on our product marketing glossies. If it were not for the HIPAA-compliance demands of our customers, we would not have cared.

Many small healthcare organizations simply do not find it cost effective to achieve HIPAA compliance. If they faced penalties for not doing so, I think that some would opt to change their business model away from healthcare, or discontinue business operations altogether.

HIPAA compliance is just one example. There are obviously security goals that can be achieved by relatively any size business. I think the model I have in mind is one that's actually "doable". I also envision it only being truly successful if the small business community is involved. For example, a lot of small businesses are connected to the web with NO firewall protection. Making it mandatory to have such a mechanism shouldn't make a company decide they don't want to be in the business anymore. The truth of the matter is, some small businesses don't want any regulation on anything. Bottom line is this; if you own or run a business that requires the storage, usage, or viewing of private or confidential information, whether it be of an individual or a business/entity, you SHOULD BE responsible for securing it to some level. Most states have made moves in this direction (following JD's state of California who pioneered this effort). But it's really loose and very hard to enforce at any level. With the credit cards, for example, I think in most states, the owner of the data is considered to be the credit card company, not the merchant. So the merchants reporting obligation usually ends with reporting it to the parent credit card company.

Imagine someone asking you to borrow your laptop for a couple of days. You agree to this. While they're using it, they connect it to their network which is loaded down with viruses and spyware, and other garbage (because he failed to protect his network). Now imagine your laptop getting rendered completely useless by all of this garbage on his network. When you get it back and discover this, you call him to complain. His response is, "sorry dude, stuff happens". You wouldn't be happy. Nor would I be happy if a merchant I do business with got hacked and exposed my social security number and bank account information to a malicious individual who ended up running me up a tab of a couple grand. Especially if I called and all they could tell me was "stuff happens". But the problem is since those smaller businesses aren't even required to report when those breaches occur, I wouldn't even know who to call to complain about it to.

On the other hand, if my bank was hacked, and my information stolen, or even exposed to the risk of being stolen. I will most likely get a letter stating such. So at least I would know something happen and know to be looking out (credit card activity, credit report, bank account, etc..). So there are two very simple requirements right there that could make a considerable difference.

1. Get some kind of protection. 2. Let your customers know when your negligence to do so caused their personal information to be stolen.

Sure, part of PCI compliance (which you agree to when your business starts accepting credit cards for payment) says you'll report these breaches to the credit card company etc. But the worst thing they would do is not allow you to accept credit cards anymore (and this rarely happens). Yes they have penalties (financial of course), but they truely don't have grounds to enforce them on, short of taking you to civil court (and these cases are a total mess). Besides, PCI only deals with the credit card side of it. What about checks? The small businesses who don't take credit cards almost always takes checks (just being a cash only business can certainly hurt revenue).

With the way things are going now and cyber crime growing like bacteria, businesses who are not protected will eventually be "out of business" anyway. If you get a reputation for having people's information compromised in a small community, you're dead in the water. The funny thing I've seen in court (when small businesses are involved), is the small town communities always feel it's an "inside job" when something like this happens. Even if it's far from the truth. Those who are not very technically sound just don't believe "the hype" when it comes to these things. I can't count the times where I've had judges and lawyers in court flat out disagree with me concerning recovering files from a formatted hard drive. Most of em just don't believe it. They've lost files or deleted files and no been able to get them back. So they believe it's impossible to get them back. Why, because their nephew, cousin, niece, baby's daddy, friend, or neighborhood geek kid , who all happen to know every thing there is to know about computers said so. Often times it actually takes a live demonstration of a deletion, and recovery to get the point across.

As a business owner myself, I'd hate to be trying to explain to my customers "no no no sir, none of my employees used your credit card to buy those **** subscriptions, see a hacker in California hacked our system and HE used your card number". It is a tougher sale than you might realize.

I imagine the first few pieces of legislation in this regard will focus heavily on reporting the breaches to customers. After that happens, the rest will be a natural reaction. In other words, no one wants to be guilty of having to send out 4 or 5 letters per year to customers saying "uhmmm yeah, about that credit card you had to shred and replace last month because of our hacking incident; you're going to have to get another one because it happened again". Being small is no excuse for security being non-existent.

RoboNerd

It seems to me that the driver for security hardening will come from due care litigation in the next few years. The tidal wave is just now starting to gather, but with every week seeming to bring out yet more disclosures, InfoSec professionals are going to have some interesting problems on their hands. IE, what is the personal liability of an InfoSec professional should a system he is accountable for be compromised, or used as a proxy to compromise other systems or launch distributed attacks? Will InfoSec professionals require bonding and insurance? (Certainly we will be requiring higher compensation in that case!!!)

I'm really concerned about the prospects of civil litigation with respect to security, since "due care" is subjective at best, and the layman juror would probably have little ability to grasp the monumental efforts required to maintain secure information systems.