Mr. Elefant, would you please tell me a little bit about your background?

I’ve been in and around payments for 20 plus years. I started a company called IC Verify which was the first PC payment software company in the 80’s doing credit cards, ATM / debit and check processing on personal computers. We rolled that out to 250K merchants in 21 countries with a half dozen languages. ICVerify was merged with CyberCash, and I became the vice chairman of CyberCash. After leaving CyberCash, I was involved in several other startups including a company called Price Radar in the online auction space, a digital content management and micro payments company called Yaga and then venture capital for the last five years before joining Heartland Payment Systems.

________________________________________

So the division you’re handling is the payment systems?
I am the executive director of end-to-end encryption. This position touches on many aspects of Heartland’s diverse business.

________________________________________

As far as the end-to-end encryption, first, what do you think of the media’s treatment of Heartland? From my perspective, with a little time in journalism, the story was ‘if it bleeds, it leads’… that seems to be the mantra and the announcements that went on with Heartland incident, the media absolutely had a field day. What was the actual severity of the breach, and was it as bad as the media portrayed?

We seem to be turning the tide. We’ve been proactive in leading industry change, sharing information and furthering the development of end-to-end encryption as a key element that will help the industry be more secure.
________________________________________

What do you think of the PCI DSS? Does it go far enough? Obviously, with Visa putting you guys and RBS on probation… What was the disconnect, and what do you think of the PCI DSS?

Heartland was PCI certified every year it was assessed. Yet our system was breached, showing that the standards did not fully protect data. It may well be that no set of standards ever could fully protect data in this environment — where motivated criminals develop ever more sophisticated ways to infiltrate systems. We are working on new approaches to enhance security.
_______________________________________

So it’s just the application itself has to be certified and you guys are going above and beyond that throwing in the end-to-end encryption to take care of everything that’s not currently called out in the PCI-DSS?

Yes. What we’re doing is from the time the digits leave the mag stripe, as they are read through that read head, they will be encrypted with very strong TRSM (Tamper Resistant Security Module) and AES encryption. Through the terminal, over the wires, through our hosts and through the card brands, the transaction will be encrypted – as long as the brands agree to do this.

________________________________________

As far as the price tag for a breach, what are we looking at as far as potential sanctions from the PCI, I’m not talking about specifically about Heartland, but in general terms if you can’t talk about Heartland, what are we looking at as a breach? We’re talking sanctions, breach notifications, brand harm – what do you see as the final price tag?

Breaches are expensive in all of those categories and more. The results of some past breaches are publicly available. I don’t’ know how to answer your question about a specific price tag. It’s still TBD.
________________________________________

A pretty consistent theme in my reading and at conferences is people saying, “The reason we’re doing all this security work is for compliance – we’re trying to comply with the governmental regulations rather than trying to do what’s in the best interest of protecting the customer.” Because there are risk tradeoffs, how do you weigh between the privacy of the user and the compliance with whatever regulation?

I think compliance and security go hand in hand. Compliance, though, is not enough in and of itself. That is why we are working to enhance the existing industry standards. We are also working with ANSI X9 F6 t to help create greater security around PAN’s as well as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Payments Processing Information Sharing Council (PPISC) to share threat information and protect the entire industry, business owners and consumers
________________________________________

So one of the reasons for the CIPP Guide website is to serve as a resource for the privacy professional certification. What do you think of certification programs, both in general as far as technology certifications go?

I think they’re very important. The education process that goes on within the industry has to be an ongoing one. It’s not a one-time thing. The industry changes and evolves, and the threat vectors change. This is a continuous process the industry needs to continue to support.
________________________________________

It definitely seems like you guys are moving in the right direction. As I said earlier, it’s unfortunate that the media gets a hold of these things, because, I seem to recall that the information that was lost was bad, but not so bad that it was going to bring about the end of the financial market.

We are trying to do things that benefit our business, the entire industry, merchants and consumers.

The complete interview with Mr. Steven Elefant, including more details on PCI and his thoughts on compliance is available in the CIPP Guide forums.

Ed. note:  Before the interview, Visa had revoked Heartland’s PCI compliant status as of March 13th, 2009.  According to Visa’s website, Heartland apparently regained their PCI compliant status as of April 30, 2009.  As of May 7, 2009, the Heartland breach reportedly cost over $12.5 Million.

Join the forum discussion on this post - (1) Posts

Staggering Statistics

Types of Incidents resulting in Breach - all time from DataLossDB.org

Types of Incidents resulting in Breach - YTD 2009 from DataLossDB.org

All of this regulation and legislation covers day-to-day activities surrounding quarterly and annual reporting, personally identifiable information storage and protection, information security policies and appropriate retirement and disposal of files and data.  Much of the legislation was in response to rising problems with identity theft, corporate scandal or high profile private records breach.  The exposure numbers are staggering.  According to statistics collected by the Open Security Foundation, there was a 117 fold rise in data security breaches since 2000 and 400% escalation in breaches since 2005.  In 2005, the Federal Trade Commission estimated 3.7% of the US adult population were victims of a records breach.  By 2008, breach notifications affected 84 Million records, approximately 5.6% of the population.  17% of those breaches were based on paper losses, such as check stubs, account statements or other printed documents.  However, the other 83% of the breaches reported involved electronic records, accounting for over 98% of the total records lost.  The two graphs denote the source of the losses, with a consistent 36% breach rate because of theft or loss, but an interesting 9 point upswing this year (8% vs 17%) because of lost equipment or improper document disposal.  Some of the categories (like lost tapes) have been nearly eliminated in recent years by industry best practices and paradigm shifts.

Dumpster Diving for PII

So how is it that Mr. Steve Hunt happened across a treasure trove of private financial information lying in a dumpster behind what he describes as a “big bank in a big city”.  The bank hired Hunt’s company, Hunt Business Intelligence, and was surprised at the results, finding check stubs, bank statements, wire transfer information and even a computer from the “Chicago Board of Trade”.  There are obviously policies regarding file disposal, especially at any large banks to comply with the legislative requirements.  Checks, bank statements, files and other paper should be shredded.  Computer equipment should see more than simply file deletions – they at least require the digital equivalent of shredding and some regulations expect physical destruction of hard drives.  So how does a privacy professional work around this sort of data exposure problem when policy is absolutely ignored?

“There are so many physical security aspects to data protection it ought to never be considered merely an IT security issue,” Hunt said.  Mr. Hunt is referring to not only the lost bits in use on the device, which privacy and security professionals obsess over with technologies such as DLP (Data Loss/Leakage Prevention), but also losses where the data reside, be it paper bank statements, backup tapes, or used hardware disposal methods.  We see time and time again how smaller devices facilitate loss or theft, thereby impacting privacy, with examples ranging from memory stick losses at a prison,  a USB drive compromising major intelligence operations or stolen laptops and smartphones.  But most of the items Hunt calls out are not the ultra-portable electronics; they’re examples where companies apparently forget policy in the name of cleanliness - rejected Xerox copies, unclaimed faxes and a third party computer (which no one probably knew what to do with and someone finally grew tired of looking at).

Although Hunt called out pretty significant personal details uncovered on the papers retrieved, statistics, logistics and plain old physics consistently point to electronic records as the bigger picture.  You simply can’t compromise as much paper information without a tractor-trailer and physically being in a location.  It might only take Hunt 3 minutes to find items in the trash, but the planning and execution (and lingering odor) may encompasses hours.  The risk is also significantly more tangible to the perpetrator than a remote, network-based attack – instead of an air conditioned room and a laptop, a dumpster diver faces police and private surveillance, neighborhood watches, and the physical stigma of traipsing through the trash.  This likely deters all but the most determined adversary.  So don’t forget proper paper disposal: it’s well understood and it will place your company in the news 17% of the time, but realize that it amounts to 2% of the total disclosure problem.

An Inventory of Assets

Corporations should already have an inventory of assets in this age of eDiscovery.  A chart of who owns what equipment and what’s stored on it will allow you to meet court demands, quickly figure out what you should have at any moment of time and where to look when data are needed later.  At a minimum this includes such IT items as servers, desktops, laptops and smart phones, regardless of their owner, as well as any hardware off site.  This should help avoid mysterious losses of equipment like a laptop in the trash.

Information Lifecycle Mapping

Better still: enterprise information lifecycle mapping will go much further in defining what information may be at risk due to loss, theft or policy failure.  In dealing with privacy data, lifecycle mapping shows what data are being created during collection, for what use and purposes, in what formats the data are retained, and most importantly, delineate who has disclosure access to each piece of information.  This is especially useful in multi-sector corporations and third party / marketing vendor relationships, where management and administration of data flows must be reconciled across large population swaths.  Lifecycle controls also allow monitoring of customer opt-in and opt-out decisions and appropriate enforcement of policies.

Mitigating Data Recovery Risks

The recovered laptop’s battery was drained, but Hunt says, ”I know how to connect to a hard drive.” Would the laptop have been susceptible to recovery as Hunt suggested? Up until ten months ago in Indiana, the laptop wouldn’t require a breach notification, as long as the system had a password installed on the machine.  Anyone in the security industry will tell you how easy it is to circumvent or recover a user name and password, especially if that’s the best protection on the system.  My information security professor back in college regularly emphasized, “Once you get your hands on the hardware, all bets are off”.  So what may be done to manage this risk?

Cryptography eliminates disclosure risks?

Most states, including Indiana since their requirements change, expect encryption will provide adequate protection from information loss, and therefore do not require breach notifications for cryptographically secured equipment loss.  Cryptography is impressive, effectively eliminating data-at-rest risk in most instances where the equipment is turned off.  (There are plenty of cryptography protection examples for data-in-transit or data-in-use we’ll leave for another time.)    Encryption is not the disclosure panacea.  There are sometimes flaws in software code and, even when properly executed, eventually the mathematics behind encryption systems age.  Then there are security revelations, such as the Cold Boot presentation last year.  Security researchers at Princeton successfully circumvented military grade encryption, not by cracking the mathematics, but by taking notice of a peculiarity in how encrypted computer systems operate, and more importantly how users operated the computer systems.

Hard Disk Data Remanence

Everyone should be familiar with a computer’s “Recycle Bin”, the place where “deleted” files stay until the second stage deletion (empty recycle bin on Windows) removes the file.  Even that second stage doesn’t really delete the file.  The OS removes the file’s header information, and frees the occupied locations for writing.  Liken it to simply tearing off the top page of a fax and flipping the pages over to write on.  The short version: if you’re serious about deleting private information on decommissioned equipment, keep the encryption and ‘erase’ the disks following the old DoD policies, where drives are overwritten multiple times with a specific pattern.   That’s better than best practices and will easily avoid any sorts of negligence findings anywhere in the near future.  However, another security researcher named Peter Gutmann took notice of how the DoD drive erasure security process was actually implemented and determined that data were recoverable unless erasure was manufacturer and model specific – with rewrites of up to 35 times.  The DoD found the lengthy process of overwriting disks according to Gutmann’s studies too costly, and now most often uses NSA approved Degaussers to literally rip the bits off the drive.  A third alternative entails physically shredding the hard disks like paper records.

Third Party Equipment

The Chicago Board of Trade did well by labeling their equipment so it may be identified.  It appears they probably missed the mark by leaving off an easy to use contact method or shipping address.  Contracts for third party vendors must take into consideration loaned equipment installed on customer premises.  Mistakes made by third party vendors bring shame to their organization, but more than likely breach notifications will go out on your corporate stationary.  Regular compliance audits (including dumpster dives if you wish) and data lifecycle management are crucially important as the primary vendor.  All of these activities will help manage corporate risk.

Disposal Policy Conclusions

With each improvement in security technology, someone eventually notices a problem with how it’s implemented or nuances of actual usage, as evidenced specifically in the examples from both the Princeton folks and Gutmann.  Avoid complete technology reliance and prepare for the latest system’s failure.  Follow best practices relating to security & disposal, document the modifications into processes and write policies to manage the gaps.  Always be prepared to account for numb skulls in your organization – audit your processes and staff and you may be surprised at what you find.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Privacy Regulations (Foundations:I.F.b, CIPP: I.B) and Compliance Requirements (Foundations:II.B),
• Managing Risk and compliance (Foundations:I.G.b) including: Privacy Policy Development, Risk Management (Data Recovery and Disposal Policy )and Compliance and Incident Management
• Policy (Foundations: I.C) including: Internal use and disclosure, Third Party Relationships
• Data Lifecycle (Foundations:I.E.vi) including: Collection, Use & Retention, Disclosure, Management & Administration and Monitoring & Enforcement
• Information Security (II.C) including: Encryption(data-at-rest and disk encryption), Asset Management (asset inventory & information classification), Threats & Vulnerabilities, (Data remanence and Dumpster diving)