What is the Sarbanes-Oxley Act?

The Sarbanes-Oxley Act of 2002 (also referred to as SOX) was drafted by Senator Paul Sarbanes and Representative Michael Oxley. The SOX established new standards for corporate accountability and penalties for violations. The intention of the SOX was to improve the accuracy and reliability of corporate disclosures made pursuant to securities laws, along with other purposes. The two main objectives of the SOX are: 1) To restore investor confidence in light of corporate scandals and 2) To prevent further instances of corporate fraud.

The Act applies to all public companies held in the United States, as well as international companies that have registered equity or debt securities with the Securities and Exchange Commission and the accounting firms they do business with. However, the SOX does not apply to privately traded companies in the US.

The key sections of the SOX are listed below:

–                    Section 201: Prohibited Auditor Activities

–                    Section 302: CEO and CFO Responsibilities Regarding Corporate Reports

–                    Section 404: Management Assessment of Internal Controls

–                    Section 409: Real Time Disclosure

–                    Section 802: Criminal Penalties for Altering Documents

–                    Section 806: Whistleblower Protection

–                    Section 807: Criminal Penalties for Fraud

The US Securities and Exchange Commission (SEC) is responsible for the administration and oversight of the SOX. Although the Act listed a number of areas of reform, it was left to the SEC and other US securities exchanges to implement the changes.

Why have the Sarbanes-Oxley Act?

The SOX was passed January 23, 2002 in the aftermath of high-profile corporate financial scandals, amongst them, the Enron, Tyco and WorldCom scandals.  Such events were the cause of hundreds of billions of dollars in losses, both corporate and investor, in the US alone. This resulted in a frenzy of media stories, covering issues including:

–                    Executive over-compensation

–                    Systematic management failures

–                    Lack of board oversight

–                    Criminal prosecutions of executives and senior management

Sarbanes-Oxley Audits

The SOX requires that all financial reports include an internal control report. Under the Act, companies are required to save all documentation used to create financial reports and audits. SOX defines “documentation” as:

• Relevant records (e.g. workpapers)
• Documents that form the basis of an audit or review
• Memoranda
• Correspondence and other communications
• Records which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review. This extends to electronic records

Sarbanes-Oxley & Information Security

The SOX requires trade secrets to be identified, classified and valued. These values also need to be publicly reported, as the subject of adequate internal controls, for instance, effective access restrictions. The majority of states have required owners of trade secrets to be able to show that they have taken reasonable measures to protect the information from disclosure. As most trade secrets are both created and stored electronically, the protection of trade secrets is inseparable from other information security measures.

Criticisms of the Sarbanes-Oxley Act

The SOX was, for the most part, slow to be adopted and its efficacy was not assessed for a number of years after its passage. While observers debate on whether the benefits of the Act can outweigh the costs of implementation, there are a number of major concerns that have been raised thus far:

–                    The SOX was designed and implemented too hastily. Companies were unclear on the new rules, some of which were made binding before the SEC or securities exchanges had been able to produce detailed interpretation.

–                    Reforms outlined in the SOX imposed an increased regulatory burden. One study had put the total compliance cost for the public sector at $1.4 trillion, while another study showed that the compliance with the internal controls requirements alone had cost US businesses over $30 billion. Critics point out that this financial burden has fallen to smaller and emerging firms disproportionately.

–                    Foreign companies are opting to delist or choosing not to list on American stock exchanges as a result of the SOX. Firms have also chosen not to go public, in order to avoid SOX compliance costs. Market experts argue that requirements imposed by the Act have served to discourage entrepreneurial, risk-taking behavior. This is just one example of the hidden costs of the SOX.

Canadian Responses to the Sarbanes-Oxley Act

While the SOX introduced significant changes to corporate governance and disclosure obligations in the US, Canadian lawmakers felt it necessary to adopt similar measures, in order to remain compatible and competitive with their US counterparts. As a result, Canadian rules and regulations were introduced in mid-2005 by the CSA (Canadian Securities Administrators), along with the OSC (Ontario Securities Commission).

Summary

This article takes a look at the Sarbanes-Oxley Act of 2002 (SOX), which established new standards for corporate accountability and penalties for violations. The Act applies to all public companies held in the United States, as well as international companies that have registered equity or debt securities with the US Securities and Exchange Commission. The SOX also requires trade secrets to be subject to adequate internal controls and must be protected from unauthorized disclosure. This article also explores some criticisms of the SOX.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

–                    Oraganizational practices (II.A.b.)

–                    Data governance (V.B.)

–                    Auditing (V.C.)

Credit Card Fraud in Context

The following high-profile cases of credit card fraud underscore the need for security practices, such as the PCI DSS:

–                    February 2005: Bank of America loses of 1.2 million customer records, although there was no evidence that the records had come into the wrong hands.

–                    June 2005: Merchant payment-processing provider, CardSystems, is sued for failing to provide adequate protections for the personal information of over 40 million customers.

–                    February 2006: Approximately 400,000 debit card accounts were disclosed by retail merchants.

–                    January 2007: A MoneyGram (a payment service provider) server was unlawfully accessed, revealing the names, addresses, phone numbers and bank account numbers of some 79,000 customers.

–                    January 2007: The credit/debit card numbers of over 45 million customers was stolen from the TJX IT system.

What is PCI DSS?

In 2004, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International created the Payment Card Industry (PCI) data security framework. Before developing this standard, each company had a proprietary set of information security requirements, which presented a challenge to participants in multiple brand networks. The uniform set of information security requirements they developed became known as the PCI Data Security Standard (PCI DSS), which applies to all payment channels: retail, mail orders, phone orders and e-commerce.

PCI DSS is comprised of twelve security requirements (aka the “digital dozen”), which are as follows:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software/programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for employees and contractors.

Compliance with PCI DSS

Compliance with PCI DSS is becoming more and more important for businesses of all sizes. Demonstrating compliance with the standard proves to customers that an organization has secure systems that can be trusted with their sensitive payment card information. As a result, customers are more likely to build trust in the brand, become repeat customers and recommend the business to others. Compliance with PCI DSS can also develop a business’ reputation with acquirers and payment brands. It can also make other compliance processes easier (e.g. with HIPAA, SOX, etc.).

There are three main stages of compliance:

1. Collecting and Storing – This involves the secure collection and tamper-proof storage of log data so that it is available for analysis.
2. Reporting – This is the ability to prove compliance should an audit arise. The organization should also show evidence that data protection controls are in place.
3. Monitoring and Alerting – This involves implementing systems to enable administrators to monitor access and usage of data. There should also be evidence that log data is being collected and stored.

Non-Compliance

There are numerous negative consequences of non-compliance with the PCI DSS. Compromised payment card data has negative outcomes for consumers, merchants and financial institutions. Compromised data can damage an organization’s brand reputation. Breaches of account data can result in loss of sales, relationships, diminished community standing and decreased share prices, for publicly traded companies.

Other negative consequences of non-compliance may also include:

–                    Lawsuits

–                    Cancelled accounts

–                    Payment card issuer fines (which could amount up to $500,000 per incident)

–                    Government fines

–                    Insurance claims

–                    Loss of ability to process payment card transactions

PCI DSS in Canada

PCI DSS has been a major driving force for Canadian businesses in improving their IT security systems. As a globally-recognized set of mandatory security practices, PCI DSS to any Canadian company, organization or government department that engages in the storage, processing or transmission of payment card information. As the twelve steps involved in PCI compliance form the foundation for general IT security frameworks, it may be a good starting point for a variety of organizations.

According to IBM Canada security architect Gary McIntyre, “Canadian firms that failed to achieve PCI compliance would not likely get disconnected from the card networks, but they would face stringent financial penalties from Visa or MasterCard.”

Summary

This article explores the PCI DSS (Payment Card Industry Data Security Standard), developed in 2004 by a number of stakeholders in the payment card industry. The PCI DSS is comprised of twelve security requirements, which are referred to as the “digital dozen.” The article discusses the advantages of compliance, as well as the necessary stages to achieve compliance with the PCI DSS. Finally, the article looks at the PCI DSS from an international standpoint, introducing the adoption of the standard in Canada.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

–                    Industry Consortia Security Frameworks (V.B.iv.)

–                    PCI DSS (V.B.iv.1.)

Staggering Statistics

Types of Incidents resulting in Breach - all time from DataLossDB.org

Types of Incidents resulting in Breach - YTD 2009 from DataLossDB.org

All of this regulation and legislation covers day-to-day activities surrounding quarterly and annual reporting, personally identifiable information storage and protection, information security policies and appropriate retirement and disposal of files and data.  Much of the legislation was in response to rising problems with identity theft, corporate scandal or high profile private records breach.  The exposure numbers are staggering.  According to statistics collected by the Open Security Foundation, there was a 117 fold rise in data security breaches since 2000 and 400% escalation in breaches since 2005.  In 2005, the Federal Trade Commission estimated 3.7% of the US adult population were victims of a records breach.  By 2008, breach notifications affected 84 Million records, approximately 5.6% of the population.  17% of those breaches were based on paper losses, such as check stubs, account statements or other printed documents.  However, the other 83% of the breaches reported involved electronic records, accounting for over 98% of the total records lost.  The two graphs denote the source of the losses, with a consistent 36% breach rate because of theft or loss, but an interesting 9 point upswing this year (8% vs 17%) because of lost equipment or improper document disposal.  Some of the categories (like lost tapes) have been nearly eliminated in recent years by industry best practices and paradigm shifts.

Dumpster Diving for PII

So how is it that Mr. Steve Hunt happened across a treasure trove of private financial information lying in a dumpster behind what he describes as a “big bank in a big city”.  The bank hired Hunt’s company, Hunt Business Intelligence, and was surprised at the results, finding check stubs, bank statements, wire transfer information and even a computer from the “Chicago Board of Trade”.  There are obviously policies regarding file disposal, especially at any large banks to comply with the legislative requirements.  Checks, bank statements, files and other paper should be shredded.  Computer equipment should see more than simply file deletions – they at least require the digital equivalent of shredding and some regulations expect physical destruction of hard drives.  So how does a privacy professional work around this sort of data exposure problem when policy is absolutely ignored?

“There are so many physical security aspects to data protection it ought to never be considered merely an IT security issue,” Hunt said.  Mr. Hunt is referring to not only the lost bits in use on the device, which privacy and security professionals obsess over with technologies such as DLP (Data Loss/Leakage Prevention), but also losses where the data reside, be it paper bank statements, backup tapes, or used hardware disposal methods.  We see time and time again how smaller devices facilitate loss or theft, thereby impacting privacy, with examples ranging from memory stick losses at a prison,  a USB drive compromising major intelligence operations or stolen laptops and smartphones.  But most of the items Hunt calls out are not the ultra-portable electronics; they’re examples where companies apparently forget policy in the name of cleanliness - rejected Xerox copies, unclaimed faxes and a third party computer (which no one probably knew what to do with and someone finally grew tired of looking at).

Although Hunt called out pretty significant personal details uncovered on the papers retrieved, statistics, logistics and plain old physics consistently point to electronic records as the bigger picture.  You simply can’t compromise as much paper information without a tractor-trailer and physically being in a location.  It might only take Hunt 3 minutes to find items in the trash, but the planning and execution (and lingering odor) may encompasses hours.  The risk is also significantly more tangible to the perpetrator than a remote, network-based attack – instead of an air conditioned room and a laptop, a dumpster diver faces police and private surveillance, neighborhood watches, and the physical stigma of traipsing through the trash.  This likely deters all but the most determined adversary.  So don’t forget proper paper disposal: it’s well understood and it will place your company in the news 17% of the time, but realize that it amounts to 2% of the total disclosure problem.

An Inventory of Assets

Corporations should already have an inventory of assets in this age of eDiscovery.  A chart of who owns what equipment and what’s stored on it will allow you to meet court demands, quickly figure out what you should have at any moment of time and where to look when data are needed later.  At a minimum this includes such IT items as servers, desktops, laptops and smart phones, regardless of their owner, as well as any hardware off site.  This should help avoid mysterious losses of equipment like a laptop in the trash.

Information Lifecycle Mapping

Better still: enterprise information lifecycle mapping will go much further in defining what information may be at risk due to loss, theft or policy failure.  In dealing with privacy data, lifecycle mapping shows what data are being created during collection, for what use and purposes, in what formats the data are retained, and most importantly, delineate who has disclosure access to each piece of information.  This is especially useful in multi-sector corporations and third party / marketing vendor relationships, where management and administration of data flows must be reconciled across large population swaths.  Lifecycle controls also allow monitoring of customer opt-in and opt-out decisions and appropriate enforcement of policies.

Mitigating Data Recovery Risks

The recovered laptop’s battery was drained, but Hunt says, ”I know how to connect to a hard drive.” Would the laptop have been susceptible to recovery as Hunt suggested? Up until ten months ago in Indiana, the laptop wouldn’t require a breach notification, as long as the system had a password installed on the machine.  Anyone in the security industry will tell you how easy it is to circumvent or recover a user name and password, especially if that’s the best protection on the system.  My information security professor back in college regularly emphasized, “Once you get your hands on the hardware, all bets are off”.  So what may be done to manage this risk?

Cryptography eliminates disclosure risks?

Most states, including Indiana since their requirements change, expect encryption will provide adequate protection from information loss, and therefore do not require breach notifications for cryptographically secured equipment loss.  Cryptography is impressive, effectively eliminating data-at-rest risk in most instances where the equipment is turned off.  (There are plenty of cryptography protection examples for data-in-transit or data-in-use we’ll leave for another time.)    Encryption is not the disclosure panacea.  There are sometimes flaws in software code and, even when properly executed, eventually the mathematics behind encryption systems age.  Then there are security revelations, such as the Cold Boot presentation last year.  Security researchers at Princeton successfully circumvented military grade encryption, not by cracking the mathematics, but by taking notice of a peculiarity in how encrypted computer systems operate, and more importantly how users operated the computer systems.

Hard Disk Data Remanence

Everyone should be familiar with a computer’s “Recycle Bin”, the place where “deleted” files stay until the second stage deletion (empty recycle bin on Windows) removes the file.  Even that second stage doesn’t really delete the file.  The OS removes the file’s header information, and frees the occupied locations for writing.  Liken it to simply tearing off the top page of a fax and flipping the pages over to write on.  The short version: if you’re serious about deleting private information on decommissioned equipment, keep the encryption and ‘erase’ the disks following the old DoD policies, where drives are overwritten multiple times with a specific pattern.   That’s better than best practices and will easily avoid any sorts of negligence findings anywhere in the near future.  However, another security researcher named Peter Gutmann took notice of how the DoD drive erasure security process was actually implemented and determined that data were recoverable unless erasure was manufacturer and model specific – with rewrites of up to 35 times.  The DoD found the lengthy process of overwriting disks according to Gutmann’s studies too costly, and now most often uses NSA approved Degaussers to literally rip the bits off the drive.  A third alternative entails physically shredding the hard disks like paper records.

Third Party Equipment

The Chicago Board of Trade did well by labeling their equipment so it may be identified.  It appears they probably missed the mark by leaving off an easy to use contact method or shipping address.  Contracts for third party vendors must take into consideration loaned equipment installed on customer premises.  Mistakes made by third party vendors bring shame to their organization, but more than likely breach notifications will go out on your corporate stationary.  Regular compliance audits (including dumpster dives if you wish) and data lifecycle management are crucially important as the primary vendor.  All of these activities will help manage corporate risk.

Disposal Policy Conclusions

With each improvement in security technology, someone eventually notices a problem with how it’s implemented or nuances of actual usage, as evidenced specifically in the examples from both the Princeton folks and Gutmann.  Avoid complete technology reliance and prepare for the latest system’s failure.  Follow best practices relating to security & disposal, document the modifications into processes and write policies to manage the gaps.  Always be prepared to account for numb skulls in your organization – audit your processes and staff and you may be surprised at what you find.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Privacy Regulations (Foundations:I.F.b, CIPP: I.B) and Compliance Requirements (Foundations:II.B),
• Managing Risk and compliance (Foundations:I.G.b) including: Privacy Policy Development, Risk Management (Data Recovery and Disposal Policy )and Compliance and Incident Management
• Policy (Foundations: I.C) including: Internal use and disclosure, Third Party Relationships
• Data Lifecycle (Foundations:I.E.vi) including: Collection, Use & Retention, Disclosure, Management & Administration and Monitoring & Enforcement
• Information Security (II.C) including: Encryption(data-at-rest and disk encryption), Asset Management (asset inventory & information classification), Threats & Vulnerabilities, (Data remanence and Dumpster diving)