On May 22, 2007 the Presidential Identity Theft Task Force issued Memorandum 07-16. It required all agencies to develop and implement data breach notification policies within 120 days, as outlined by the memorandum. M-07-16 included a number of new recommendations and requirements agencies must use in creating such policies.

What is Personally Identifiable Information (PII)?

M-07-16 expanded the definition of personally identifiable information to the following: “personally identifiable information refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as data and place of birth, mother’s maiden name, etc.”

The following are a number of requirements outlined by various attachments to M-07-16 in order to protect personally identifiable information:

Safeguarding Against the Breach of Personally Identifiable Information

Part A of Attachment I reiterated the privacy and security requirements for Federal agencies enforced under the Privacy Act, such as establishing safeguards, ensuring the integrity of data and establishing “rules of conduct” for individuals handling information. Furthermore, under the Privacy Act, agencies are require to assign risk levels to information systems according to NIST SP 800-37.

Attachment I also created the following new requirements:

Review and Reduce the Volume of Personally Identifiable Information

Agencies should conduct an initial review to identify records containing PII and ensure that the information is timely, accurate, relevant and complete. Only the information necessary for carrying out government activities should be maintained. After the initial review, the holdings of PII should be periodically review according to a public schedule

Reduce the Use of Social Security Numbers

All agencies were required to develop a plan within 120 days of the memorandum to eliminate any unnecessary collection of Social Security Numbers (SSN) within eighteen months. Furthermore agencies were also charged with the responsibility of working with other Federal agencies to create a Federal identifier separate from Social Security Numbers.

Security Requirements

Agencies must implement the following security features to protect all Federal information, not just data containing PII:

• Encryption
• Require two factor authentication using separate devices when accessing information remotely
• Implement a Time-Out function requiring re-authentication after a period of inactivity on remote access and mobile devices
• Log data extracts from data files containing sensitive information and verify each extract including the destruction of sensitive data after 90 days after it is no longer in use
• Educate all individuals handling PII and have them sign a document annually stating they understand their responsibilities.

Incident Reporting and Handling

Attachment 2 of M-07-16 reviewed FISMA guidelines for the reporting of data breaches and modified several requirements.

US-CERT Reporting

All agencies must report incidents involving PII to the United States Computer Emergency Readiness Team regardless of whether a threat may be potential or confirmed. Reporting must take place with one hour of its detection for Category 1 incidents. Examples of Category 1 incidents include:

• An individual gaining physical or logical access to a Federal agency’s network, information system, applications, or data without authorization
• Any confirmed or potential breach of personally identifiable information regardless of how the breach occurred

Develop and Publish a Routine Use

Routine use includes all uses of data which are in line with the purposes for which data was originally collected. Effectively taking countermeasures to reduce the threat to information due to a security breach may require Federal agencies to share PII with other agencies and law enforcement officials with whom no data sharing agreement exists. To respond adequately, agencies should establish routine use policies to allow the disclosure of information without the prior consent of the individual in situations involving data breach investigations.

External Breach Notification

Attachment 3 of M-07-16 addresses how and when data breaches should be reported to   affected individuals and/or the public. All agencies must develop data breach notification policies to guide officials and deciding when notification is necessary and how it should be undertaken.

Whether Breach Notification is Required

Agencies should assess the level of risk and the likelihood of the breach causing harm using the following five factors:

• Type of information compromised
• Number of affected individuals
• Accessibility and usability of the information
• Likelihood of harm occurring
• Ability of the agency to mitigate harm

Timelines of the Notification

If notification is to be undertaken, it should be carried out promptly upon discovery. Notification may be delayed, as authorized but a senior official, if notification may seriously affect law enforcement proceedings.

Source of the Notification

Notification to affected individuals should come from the head of the agency where the breach occurred. Notification for breaches affecting less than fifty people may also come from the Chief Information or Privacy Officer.

Contents of the Notification

Notice should be provide in writing and contain the following information

• Type of information compromised
• Whether the information was encrypted or similarly protected
• Steps the individual can take to mitigate harm
• Steps the agency is taking to investigate the breach, mitigate harm and protect against future incidents
• Contact information for the agency

Means of Providing Notification

Method of notification depends on the number of affected individuals and the urgency of the notification. Methods include:

• Telephone
• First-Class mail
• Email
• Existing Government wide services
• Newspapers and other media
• Any accommodations necessary for individuals with disabilities

Who Receives Notification

For every data breach, agencies must consider whether to provide notification to the affected individuals and/or the public. Notification to individuals should occur promptly after the need for notification has been determined. Notification to the public including the media should be carefully planned to avoid alarm or confusion. Notice should also be posted on the agencies web page when public notification occurs.

Rules and Consequences Policy:

Attachment 4 of M-07-16 set forth a new requirement. All agencies must develop and implement a Rules and Consequences policy for employees handling personally identifiable information.

The policy must outline the requirements of employees according to their level of responsibility and the type of information they handle. Employees must be aware of their responsibilities under Federal law as well as the consequences for any violations. Supervisors that fail to take disciplinary action when violations occur are also subject to penalties. The policy should address:

• The types of individuals that must comply, including employees, contractors and other individuals handling PII maintained by the Federal government
• The types of actions that constitute violations including
  • Failing to maintain or implement security controls
  • Accessing PII or disclosing PII to other individuals without authorization
  • Failing to report suspected data breaches or unauthorized disclosures
  • Failing to adequately instruct, train or supervise employees handling PII (for managers)

Summary

The Federal Government has a legal responsibility to protect the personally identifiable information is has collected from individuals. Memoranda such as M-07-16 ensure that the security of personally identifiable information remains an ongoing discussion and concern within the Federal Government.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• OMB Memorandum 07-16 (II.A.c.2.j)

1. “Security and Privacy Training is inadequate and poorly aligned with the different roles and responsibilities of personnel.”

Proper security and privacy education is part of the administrative safeguards needed to properly protect data. Information handlers must understand the risks facing sensitive information and their responsibilities towards maintaining the Fair Information Practices Principles. The report instructed agencies to include privacy and security training upon employment, maintain awareness through weekly tips, annual “security days” and other creative reminders. Agencies should also target individuals with more security and privacy responsibilities and provide more extensive training.

2. “Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information.”

The Privacy Act of 1974 allows the sharing of information between government agencies provided the information receives the same level of protection after disclosure and the two agencies sign and follow a data sharing agreement. Failing to comply with a  data sharing agreement may allow serious breaches of a individual’s privacy. Agencies are encouraged to offer incentives for successful compliance with a data sharing agreement or contract. Agencies are also required to create detailed agreements (using Federal Acquisition Regulation Language) describing the procedures for protecting the information and assigning an individual to oversee the data sharing process.

3. “Information inventories inaccurately describe the types and uses of government information, and the locations where it is stored, processed or transmitted, including personally identifiable information.”

Under the Freedom of Information Act and the Privacy Act of 1974, government agencies are required to maintain adequate records on the type or information systems they maintain and the types and uses of the information. With a few exceptions, such information must be available to the public. Improper record keeping poses a threat to the transparency of government activities and an individual’s right to access the information and agency maintains about them. Agencies should use enterprise architecture and inventories to review the type, location, and uses of information it has on record. Security controls should be developed in consideration of the inventory and all systems containing personally identifiable information should be regularly assessed to ensure the integrity and security of the data.

4. “Information is not appropriately scheduled, archived or destroyed.”

Information must be protected at all stages of its lifecycle including those when it is not in active use. The proper destruction of information is particularly important to safeguarding privacy. Information must be assessed to determine how long it needs to be maintained and whether it is permanent and needs to be archived by the NARA or temporary and needs to be destroyed. Agencies must obtain the National Archives and Records Administration approval to dispose of their records according to established record schedules.

5. “Suspicious activities and incidents are not identified and reported in a timely manner.”

Information security is an ongoing process which requires identifying and detecting potential threats. Instituting a system without following up with security checks and incident response is ignoring a fundamental part of the information security process. Agencies should develop and follow a set of procedures to identify and respond to security or privacy incidents. Response should be timely in order to be effective. Agencies should configure their computer systems to detect intrusions, monitor use, and log any incidents. Furthermore incidents should be reported to authorized personnel and agencies to reduce risk as quickly as possible.

6. “Audit Trails documenting how information is processed are not appropriately created or reviewed.”

It is not just the type of information that is collected but how it is used that is restricted to protect privacy and civil liberties. Accurate audit trails are necessary to record how information is being collected, used, maintained and disclosed by an agency. Agencies should use managed data repositories to develop and review the necessary audit trails. Those audit trails can then be used to identify anomalies, determine the status of data and destroy data when it is no longer necessary.

7. “Inadequate security controls where information is collected, created, processed or maintained.”

Security controls include technical, physical and administrative safeguards. They are the primary defense against unauthorized access and use of information. Agencies should maintain inventories of their physical property including real estate and mobile devices. Stronger controls should be applied to areas of high impact or high risk. Security procedures should be reviewed regularly (at least annually) to ensure physical access is granted only to authorized individuals.

8. “Information security controls are not adequate.”

The sole purpose of information security controls is to prevent unauthorized use and access. When such controls fail, the system must be improved or replaced to be provide adequate protection to information which is guaranteed under U.S. law. Security controls should be tested annually with higher risk systems tested more frequently. Personnel that test controls should be separate from the personnel that administer the controls regularly, to allow outside enforcement. Problems and improvements should be shared among agencies to promote awareness. All common security configurations should follow NIST guidelines. Agencies must also consider how the public availability of information affects how government information is protected.

9. “Inadequate protection of information accessed or processed remotely.”

Mobile devices and the increasing use of cloud computing technologies all government employees to access government information when working away from the office. Data must be protected equally when accessed from a computer at the agency and when accessed from a mobile device. Agencies should maintain an audit log of any information accessed or processed remotely. NIST encryption methods, two factor authentication, and automatic log outs after a certain period of inactivity should be employed. Agencies should ensure personnel understand the security risks involved with remotely accessing such information and have them sign a document denoting their privacy and security responsibilities.

10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines.

The E-Government Act of 2002 requires that all new information security systems conduct Privacy Impact Assessments prior to use, and periodically thereafter in order to evaluate the effectiveness of the system in protecting the information it maintains. Failing to assess new technologies for their privacy protections leaves large holes in the security of the system. Agencies should include information system planning, development and maintenance in their procedures and budgets. Systems should be purchased and implemented only when found to be cost effective in adequately protecting information. Software and hardware encryption products should be used according to the NIST certified cryptographic modules.

Summary

While there are a number of regulations such as the Privacy Act of 1974, the E-Government Act of 2002, as well as the Fair Information Practice Principles which guide the use of information by the Federal Government, such regulations are not always implemented properly. Reports such as the Common Risks Impeding the Adequate Protection of Government Information are necessary to maintain an ongoing discussion regarding information privacy and security and continue to increase security protections as technologies and threats evolve.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Common Risks Impeding the Adequate Protection of Government Information
• Information Privacy Laws for U.S. Government Practice (I.C.)

It’s a jungle out there

Disorder and confusion everywhere

No one seems to care

Well I do

Hey, who’s in charge here?

It’s a jungle out there

Several years ago, using software engineering methods, University of California San Diego researchers demonstrated SSH is provably secure.  And SSH has shown itself to be nearly as good as claimed, posting only 31 bugs since 1998, most of which were minor.  Until now…  Three researchers from the Royal Holloway Information Security Group (ISG) at the University of London, Martin Albrecht, Kenny Paterson and Gaven Watson, found flaws in the proof.  They’ve shown that SSH is vulnerable to a “Man-in-the-middle” attack, where someone inserts themselves between a sender and receiver, grabs information, changes it and sends it along.

The Problem

There are actually three problems that account for the ISG discovered flaw:

1. The first lies in the manner the original security models used for the proof were constructed. The original proof pre-supposes garbled information may simply be reset as a failure and will not impact the security of the encryption used to protect the data.  The model never distinguished between the various kinds of failure, but the failure information turns out to be accessible to an adversary.  
2. The second is an implementation decision made by the original software developers for SSH.  The developers had two choices: send how big the transmitted information is (packet length field) unencrypted, which gives a small amount of information that tells an attacker how much data they had to crack, or encrypt hacker detectable information in the packet length field, possibly creating a “known plaintext” attack and thereby decreasing the keyspace.  SSH’s developers chose the unknown.  
3. The last problem has to deal with encryption modes and feedback loops.  In order to efficiently create and keep an encrypted tunnel between two computers hard to break, information from the current set of mathematical operations is used to incrementally change the next set, preventing various encryption attacks.  What data are taken from the current packet and fed into the next depend on the “cryptographic mode” chosen.  By default, SSH uses cipher-block chaining (CBC) mode instead of counter (CTR) mode.

Exploiting the ssh flaws

The ISG researchers took the error information reported that the proof never accounted for, and the design decision made by SSH developers, and began tinkering.  They eventually found a method of reducing the security in the default settings of SSH.  They reduced the overall security by creating a guessing game where an attacker has a one in 262,144 chance of success versus a brute force attempt at 1 in 4.2 billion  (2^18 vs 2^32).  You’ll only recover a very small amount of information using this method (14 or 32 bits), but it is enough to be useful.  The researchers’ vulnerability was first announced in November 2008, when the UK Centre for the Protection of National Infrastructure (CNPI) simply could not ignore the problem and, working with the ISG, issued a CPNI advisory.  Full details of the flaw were not announced until this month, when the researchers presented at an IEEE Symposium in California.

Vulnerability mitigation strategies

Even though the attack will work “with probability 1″ in some circumstances, it’s somewhat difficult to pull-off in general, and is about as stealthy as a freight train.  OpenSSH v 5.2 and above should not be susceptible to this particular exploit.  According to the CPNI advisory, the SSH flaw may be mitigated in current SSH versions by using CTR mode instead of the default CBC mode.  

Takeaway

This same technology reliance problem shows up repeatedly.  Use new equipment and products to increase efficiency, but do not over-rely on automation and technology.  Someone somewhere will notice of something unexpected, even with proven secure products.  Audit system results and write policies to take into account that the technology eventually will fail, not just from hackers or even questionable coding decisions – hurricanes, fires and employee clumsiness can all accomplish the same thing.  If your systems fail, any private information exposed will cost money – in breach notifications, time resetting the systems and general reputation.   The ISG researchers summed up the situation succintly in their paper: 

Unfortunately, it seems that real world cryptographic implementations are more complex than the current security models for SSH handle.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Managing Risk and compliance (Foundations:I.G.b) including: Privacy Policy Development, Risk Management, Compliance
• Information Security (Foundations: II.C) including: Encryption (data-in-motion) and Threats & Vulnerabilities

Mr. Elefant, would you please tell me a little bit about your background?

I’ve been in and around payments for 20 plus years. I started a company called IC Verify which was the first PC payment software company in the 80’s doing credit cards, ATM / debit and check processing on personal computers. We rolled that out to 250K merchants in 21 countries with a half dozen languages. ICVerify was merged with CyberCash, and I became the vice chairman of CyberCash. After leaving CyberCash, I was involved in several other startups including a company called Price Radar in the online auction space, a digital content management and micro payments company called Yaga and then venture capital for the last five years before joining Heartland Payment Systems.

________________________________________

So the division you’re handling is the payment systems?
I am the executive director of end-to-end encryption. This position touches on many aspects of Heartland’s diverse business.

________________________________________

As far as the end-to-end encryption, first, what do you think of the media’s treatment of Heartland? From my perspective, with a little time in journalism, the story was ‘if it bleeds, it leads’… that seems to be the mantra and the announcements that went on with Heartland incident, the media absolutely had a field day. What was the actual severity of the breach, and was it as bad as the media portrayed?

We seem to be turning the tide. We’ve been proactive in leading industry change, sharing information and furthering the development of end-to-end encryption as a key element that will help the industry be more secure.
________________________________________

What do you think of the PCI DSS? Does it go far enough? Obviously, with Visa putting you guys and RBS on probation… What was the disconnect, and what do you think of the PCI DSS?

Heartland was PCI certified every year it was assessed. Yet our system was breached, showing that the standards did not fully protect data. It may well be that no set of standards ever could fully protect data in this environment — where motivated criminals develop ever more sophisticated ways to infiltrate systems. We are working on new approaches to enhance security.
_______________________________________

So it’s just the application itself has to be certified and you guys are going above and beyond that throwing in the end-to-end encryption to take care of everything that’s not currently called out in the PCI-DSS?

Yes. What we’re doing is from the time the digits leave the mag stripe, as they are read through that read head, they will be encrypted with very strong TRSM (Tamper Resistant Security Module) and AES encryption. Through the terminal, over the wires, through our hosts and through the card brands, the transaction will be encrypted – as long as the brands agree to do this.

________________________________________

As far as the price tag for a breach, what are we looking at as far as potential sanctions from the PCI, I’m not talking about specifically about Heartland, but in general terms if you can’t talk about Heartland, what are we looking at as a breach? We’re talking sanctions, breach notifications, brand harm – what do you see as the final price tag?

Breaches are expensive in all of those categories and more. The results of some past breaches are publicly available. I don’t’ know how to answer your question about a specific price tag. It’s still TBD.
________________________________________

A pretty consistent theme in my reading and at conferences is people saying, “The reason we’re doing all this security work is for compliance – we’re trying to comply with the governmental regulations rather than trying to do what’s in the best interest of protecting the customer.” Because there are risk tradeoffs, how do you weigh between the privacy of the user and the compliance with whatever regulation?

I think compliance and security go hand in hand. Compliance, though, is not enough in and of itself. That is why we are working to enhance the existing industry standards. We are also working with ANSI X9 F6 t to help create greater security around PAN’s as well as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Payments Processing Information Sharing Council (PPISC) to share threat information and protect the entire industry, business owners and consumers
________________________________________

So one of the reasons for the CIPP Guide website is to serve as a resource for the privacy professional certification. What do you think of certification programs, both in general as far as technology certifications go?

I think they’re very important. The education process that goes on within the industry has to be an ongoing one. It’s not a one-time thing. The industry changes and evolves, and the threat vectors change. This is a continuous process the industry needs to continue to support.
________________________________________

It definitely seems like you guys are moving in the right direction. As I said earlier, it’s unfortunate that the media gets a hold of these things, because, I seem to recall that the information that was lost was bad, but not so bad that it was going to bring about the end of the financial market.

We are trying to do things that benefit our business, the entire industry, merchants and consumers.

The complete interview with Mr. Steven Elefant, including more details on PCI and his thoughts on compliance is available in the CIPP Guide forums.

Ed. note:  Before the interview, Visa had revoked Heartland’s PCI compliant status as of March 13th, 2009.  According to Visa’s website, Heartland apparently regained their PCI compliant status as of April 30, 2009.  As of May 7, 2009, the Heartland breach reportedly cost over $12.5 Million.

Join the forum discussion on this post - (1) Posts

The Federal Trade Commission and State Attorneys General enforce federal and state laws of consumer privacy protection for Unfair or Deceptive Trade Practices (UDTP).  One recent example was the State of Maine’s consumer protections, which are more restrictive than the federal laws with respect to cigarette labeling.  The State brought suit against a tobacco manufacturer for violating the state’s deceptive trade law, which the manufacturer argued was out of line due to the Federal Cigarette Labeling Act.  The Supreme Court decision upheld the State’s right to pass more restrictive legislation, pointing out:  

Neither the Labeling Act’s pre-emption provision nor the Federal Trade Commission’s actions in this field pre-empt respondents’ state law fraud claim. Pp. 5–20. 

 (a) Congress may indicate pre-emptive intent through a statute’s express language or through its structure and purpose. See Jones v. Rath Packing Co., 430 U. S. 519, 525. When the text of an express pre-emption clause is susceptible of more than one plausible reading, courts ordinarily “accept the reading that disfavors pre-emption.” 

The rationale in (a) requires express language for a federal law to negate a State’s right to create more restrictive legislation.  The first citing by the high court becomes the contentious issue for House Bill H.R. 2221, proposed by Illinois Representative Bobby Rush.  The bill tackles several tough interstate commerce issues, placing the FTC in charge of disposal regulations for obsolete or abandoned paper records containing personal information, breach notifications and verification requirements for information brokers.  Section 6 of the so-called Data Accountability and Trust Act includes a provision reading:

 (a) …This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to those entities covered by the regulations issued pursuant to this Act, that expressly–

1. requires information security practices and treatment of data in electronic form containing personal information similar to any of those required under section 2; and
2. requires notification to individuals of a breach of security resulting in unauthorized acquisition of data in electronic form containing personal information.

(b) Additional Preemption-

1. IN GENERAL- No person other than the Attorney General of a State may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act. 

This would strike several of the state privacy and notification laws (possibly including California’s SB 1386), stripping the State’s rights and growing Washington’s power.  It also bars the State Attorneys General from bringing suit, possibly in an effort to avoid a double jeopardy situation.  There are numerous case studies of the FTC and State Attorneys General working hand-in-hand for consumer protection; why this law tries to hamstring the situation is a bit of a mystery.

One more interesting note on Representative Rush’s proposal – the bill also places an encryption exemption on breach notification.  As we noted in a recent post on corporate disposal policies, hackers and researchers seem to notice protection missteps and use them to bypass security provisions just like encryption.

The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been or is reasonably likely to be compromised.

The law has a 10 year lifespan, which should be a decent requirement before the Advanced Encryption Standard (AES), currently the de-facto encryption standard (and as yet to be compromised), ages beyond its effectiveness.

Update: President Obama’s May 20th, 2009 Memorandum on the Subject of Preemption and State’s Rights quotes Justice Brandeis saying, ”[i]t is one of the happy incidents of the federal system that a single courageous state may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.”

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Regulatory Authorities (CIPP: I.A.c) including: The Federal Trade Commission
• Enforcement of U.S. Privacy and Security Laws (CIPP: II.B.d, I.A.c) including: Unfair and Deceptive Trade Practices (UDTP), and enforcement powers under the FTC Act section 5 
• Privacy and Data Protection Regulation (Foundations: I.F.a, I.F.b) including: Sectoral legal framework 
• National data protection regimes (Foundations: I.F.b) including: State’s Rights 
• Specific Privacy and Security laws (CIPP: I.B.g) including: Breach notification
• Information Security (Foundations: II.C) including: Encryption