State Bar of California California Bar Journal
Home Page Official Publication of the State Bar of California March2005
Top Headlines
Opinion
MCLE Calendar of Events
Discipline
You Need to Know
Trials Digest
Contact CBJ
PastIssues

Safeguarding Corporate Information

IMPORTANT NOTICE: This article is provided solely for research and archival purposes. MCLE self-study credit is no longer available. Even if you follow the instructions and submit payment you will not be granted MCLE self-study credit. Please note that low-cost MCLE is provided by the California Lawyers Association, pursuant to Business and Professions Code section 6056.

New laws place equal emphasis on protecting company data and responding to security breaches

By Mark E. Harrington

Mark E. Harrington
Harrington

On Sept. 29, 2004, Gov. Arnold Schwarzenegger approved four new laws extending privacy protection in California. One of those laws, AB 1950, requires companies that own or license unencrypted personal information about California residents to “implement and maintain reasonable security procedures and practices” for that data. (California Business and Professions Code §1798.81.5 (b)) The practices that companies will need to implement must be sophisticated and multi-faceted, as they are required to protect the personal information from “unauthorized access, destruction, use, modification or disclosure.” (Cal. Civ. Code 1798.81.5 (c))

This latest California law is just another in a series of recent state and federal laws requiring companies to implement processes and procedures for safeguarding data and responding to incidents quickly and efficiently when a breach of those safeguards occurs. The regulatory landscape governing information security requirements for organizations places the same degree of emphasis on response processes as well as prevention and detection. One of the central themes of these regulations is that subject organizations are required to have capabilities able to timely identify, contain, mitigate and disclose noteworthy incidents. 

However, many of the laws that require corporate incident response are surprisingly deficient in providing guidance on how a company practically implements an infrastructure that will permit it to comply. This lack of guidance means that counsel will ultimately have to manage the liability risk inherent in complying with new, ill-defined laws.

Legal requirements

It has become commonplace, and even trendy, for federal and state laws and regulations to include provisions regarding the protection of electronic data and requirements relating to the establishment of internal controls. Section 404 of the Sarbanes-Oxley Act (SOX) calls for “internal control” procedures that, according to the SEC, “[p]rovide reasonable assurance regarding prevention or untimely detection of unauthorized acquisition, use or disposition of the [company’s] assets that could have a material effect on the financial statements.” While Sarbanes-Oxley was enacted out of the national reaction to corporate fraud, the intention and impact of the SOX legislation “extend(s) beyond the accounting functions of a company.” (68 FR 36636, 36638) Establishing such internal controls will not only help bring a company into compliance with SOX requirements, but also allow it to develop a broader-based incident response system to meet the requirements of other laws and regulations.

Several federal agencies have now issued information security regulations governing the financial industry, which serve to implement the Gramm-Leach-Bliley Act (GLBA). These regulations generally mandate that incident response processes, consistent with best practices, be implemented as part of an overall information security plan. The Federal Trade Commission’s (FTC) Safeguards Rule, for instance, requires that covered entities maintain information security programs that include “responding to attacks, intrusions or other systems failures.” The FTC rules went into effect May 2003. The Treasury Department maintains interagency “Safety and Soundness” security guidelines that specifically require banks to implement “response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.” 

Nearly identical regulations are present under the Health Insurance Portability and Accountability Act (HIPAA). Specifically, HIPAA guidelines note that “[d]ocumenting and reporting incidents, as well as responding to incidents, are an integral part of a security program.” (HIPAA regulations, 45 CFR Part 164.308(a)(6))

The Federal Financial Institutions Examination Council (FFIEC), in its role of augmenting these FTC and Treasury Department regulations with specific guidelines for GLBA compliance, published its “IT Examination Handbook (FFIEC Handbook),” which addresses incident response and computer forensics in detail as part of the overall information security infrastructure. By stating “risk mitigation only occurs through an effective and timely response,” the FFIEC Handbook identifies three key areas an incident response framework should include:

  • Isolation of compromised systems or enhanced monitoring of intruder activities;
  • A search for additional compromised systems; and
  • Collection and preservation of evidence.

Under GLBA Section 505, agencies such as the FTC, Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corporation (FDIC) may enforce GLBA with strict penalties such as fines and injunctive relief. For example, the FDIC may enforce violations under Section 8 of the Federal Deposit Insurance Act, which gives the FDIC authority to impose penalties ranging from $5,000 per day up to $1 million. GLBA §§521 and 523 also provide enhanced criminal penalties for persons who gain fraudulent access to protected financial information.

Similar to AB 1950, the California Mandatory Disclosure Law, known as SB 1386, requires an organization to inform its customers if any of those customers’ personal data is compromised as a result of a security breach. This legislation is broad in scope as it affects any organization operating in California and/or has California businesses or residents as clients.

If a security breach occurs, organizations must determine if personal data has been accessed, modified or deleted in a reasonable time frame. In order to effectuate a timely and accurate analysis to determine if personal data has been compromised, an enterprise incident response and investigation infrastructure is necessary.

Corporate counsel are also increasingly becoming familiar with ISO 17799, which was formerly adopted in December 2000 by the International Standards Organization as a “code of practice for information security” (ISO 17799 or, “the standard”). While ISO 17799 addresses many aspects of information security and internal controls, the need for formal incident response procedures and tools is a significant and integral part of the ISO 17799 equation. 

According to the standard, “[i]nformation security is achieved by implementing a suitable set of controls.” (Id. Section 8.1.3. Note also that security incidents should be reported to management as soon as possible, which requires the ability to make a prompt assessment of the incident. Id. Section 6.3.1.) Among the necessary measures identified by the standard that establish “suitable controls” is an incident response process that enables an enterprise to “minimize the damage from security incidents and malfunctions, and . . . monitor and learn from such incidents.” Id.

As an initial matter, ISO 17799 recommends that an enterprise should establish procedures “to ensure a quick, effective and orderly response to security incidents.” Id. These procedures should cover:

  1. analysis and identification of the cause of the incident;
  2. planning and implementation of remedies to prevent recurrence, if necessary;
  3. collection of audit trails and similar evidence;
  4. communication with those affected by or involved with recovery from the incident;
  5. reporting the action to the appropriate authority. Id.

The enterprise that has suffered a security incident must properly collect evidence for three purposes:

  1. internal problem analysis;
  2. use as evidence in relation to a potential breach of contract, breach of regulatory requirement or in the event of civil or criminal proceedings, e.g. under computer misuse or data protection legislation;
  3. negotiating for compensation from software and service suppliers. Id.

Incident response best practices

In determining compliance with regulations and requirements by the courts, current technology is an important factor in determining best practices. In United States v. Greathouse, a federal court determined that best practices for an on-site computer forensic search of multiple networked computers would be determined by the latest “technological developments” in computer forensics software. (297 F.Supp.2d 1264 (D.OR 2003); 2003 WL 23110388) This important legal decision and other similar decisions clearly establish that compliance is driven by best practices, which is a standard that evolves with available technology.

When processing computer evidence for judicial purposes, a party has “a duty to utilize the method that would yield the most complete and accurate results.” Gates Rubber Co. v. Bando Chem. Indus. Ltd. 167 F.R. D. 90 (D.C. Col 1996). An enterprise can meet the duty stated in Gates Rubber Co. by employing the best forensic tools available in its response to a security incident. Furthermore, ISO 17799 calls on enterprises to use computer forensics to preserve the admissibility of evidence: “For information on computer media: copies of any removable media, information on hard disks or in the memory should be taken to ensure availability. The log of all actions during the copying process should be kept . . . (ISO 17799, Section 8.1.3)

As detailed above, this sort of obligation requires the enterprise to be able to collect and preserve evidence in a forensically sound manner. As a result, an enterprise that does, or expects to do, business with an ISO 17799 compliant organization should employ the best forensic tools available for use in its response to security incidents.

In addition to providing a response mechanism for network intrusions, an enterprise incident response capability offers broad application to many forms of enterprise investigations, including investigating various insider threats, policy violations, employee disputes and internal financial fraud. Under Sarbanes-Oxley, internal investigations are a critical control activity for addressing internal fraud and preventing and mitigating the destruction of computer evidence — an enumerated criminal penalty set forth in the Sarbanes-Oxley statute.

Key to an organization embracing the role of incident response in compliance is knowledge. Significant education must occur, as CIOs, CSOs and legal counsel must understand these existing regulations, the standard of care they require and the relevance and availability of newer technologies enabling broader compliance. 

Over the past few years, enterprise incident response (EIR) technology has emerged to provide very compelling incident response and computer forensics technology across a wide-area-network (WAN). This new technology, primarily software-based, helps address several shortcomings in current enterprise security processes. Notably, the capabilities of EIR not only provide essential functionality, but also a map to many of the regulatory requirements. The key functionality of EIR includes:

IMMEDIATE RESPONSE CAPABILITY. A key benefit of EIR is its revolutionary ability to conduct immediate and thorough forensic analysis of any system on a WAN. Many financial institution agencies have deployed EIR for immediate, global incident response and computer forensic capabilities. These capabilities enable organizations “to identify [a] crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service,” as required by the FFIEC. Once an incident is identified and confirmed, an EIR can engage in critical remediation activities, such as shutting down rogue processes and closing unauthorized ports.

INITIAL SYSTEM SNAPSHOT AND ANALYSIS OF VOLATILE DATA. NIST special publication 800-61 outlines that the “initial system snapshot” function is a critical technical requirement for incident response. The system snapshot capability of EIR is specifically designed for rapid and thorough incident response analysis. A snapshot of all volatile data, such as open ports, open files, running processes and the live registry, is quickly obtained from any compromised system on the WAN. This critical aspect of incident response enables very rapid identification and assessment of an incident. Additionally, EIR can capture and examine volatile data from several systems at once. This is important, especially when the exact location of the compromise must be determined. It enables the incident response team to rapidly “search for additional compromised systems” as required by the FFIEC guidelines.

ANALYSIS OF LIVE SYSTEMS WITH MINIMAL INVASIVENESS. Another important advantage of EIR is its ability to analyze live systems in a sound, forensic manner that is invisible to the user or attacker without taking the systems offline. As noted by the FFIEC and NIST, maintaining business continuity is a critical operational necessity. While the guidelines note the need for a proper forensic analysis is often balanced against the operational interest of maintaining business continuity, EIR does not require any such compromise.

CENTRALIZATION AND INTEGRATION WITH INCIDENT IDENTIFICATION SYSTEMS. To be truly effective and a substantial component of the overall information security architecture, an EIR should be centralized and able to identify and have rapid access to all servers and workstations on the wide-area-network from a Security or Network Operations Center.

PROACTIVE COMPROMISE ASSESSMENT CAPABILITIES. In addition to targeted and rapid response, an EIR can search multiple systems (up to several thousand an hour) to identify previously undetected compromises. This is important for incident response purposes, as if one system is compromised; it is highly possible that other systems are also compromised. Additionally, this enables a proactive approach to seek out unknown compromises and effectively address zero-day events.

COURT-ACCEPTABLE COMPUTER ACQUISITION AND FORENSIC ANALYSIS. EIR technology is based on comprehensive, robust computer forensic analysis capability. This means the analysis is non-invasive, works below the operating system to identify hidden and deleted data and meets legal requirements for authentication of any gathered evidence. These capabilities are essential in ensuring examination accuracy, enabling successful prosecution of company interest(s) in court and compliance with mandated incident reporting requirements.

Without a robust technical infrastructure to support it, incident response is limited in its scope and effectiveness. These technical capabilities of an EIR are thus important as they enable greatly improved security incident response processes and a more effective information security architecture.

Conclusion

In order to meet the ever-growing requirements of federal and state laws and regulations, corporate counsel must play a vital role in establishing and ensuring that a company’s incident response program comports with best practices. If properly organized and monitored, corporate counsel should be able to rest easier knowing that electronic data is properly secured and, that if a breach occurs, the company can quickly and efficiently secure the impacted information.

Mark Harrington is associate general counsel for Guidance Software Inc., where he focuses on the preparation and negotiation associated with business agreements and in shaping company policy with the in-house legal team. He also is a board member of the Association of Corporate Counsel, Southern California.

Certification

  • This self-study activity has been approved for Minimum Continuing Legal Education credit by the State Bar of California in the amount of one hour.

  • The State Bar of California certifies that this activity conforms to the standards for approved education activities prescribed by the rules and regulations of the State Bar of California governing minimum continuing legal education.

Self-assessment test

Answer the following true-false statements after reading the MCLE article on Rule of Professional Conduct 2-100. Use the answer form provided to send the test, along with a $20 processing fee, to the State Bar. If you do not receive your certificate within four weeks, call 415-538-2504.

  1. So long as an organization can respond to a discovery request or place a litigation hold, there is no legal requirement for it to be proactive in safeguarding its electronic data.
  2. A company firewall is adequate electronic data protection.
  3. Best practices of data protection requires a forensically sound method for protecting and searching data within an organization.
  4. Sarbanes-Oxley calls for “internal control” procedures that extend beyond the accounting functions of a company.
  5. Under the Federal Trade Commission’s (FTC) Safeguards Rule, a covered entity is advised but not required to enact a security program that includes “responding to attacks, intrusions or other systems failures.”
  6. California companies must implement and maintain reasonable security procedures and practices if they own or license unencrypted personal information about California residents.
  7. Most laws requiring corporate incident response capabilities include guidance on how to implement such an infrastructure.
  8. California’s Mandatory Disclosure Law requires an organization to inform its customers if any of the customer’s personal data is compromised as a result of a security breach.
  9. A complete incident response infrastructure must include the ability to conduct investigations over the enterprise’s wide-area-network (WAN).
  10. ISO 17799 advises that enterprises use computer forensics to preserve the admissibility of evidence.
  11. Federal courts have determined that best practices for safeguarding and searching for relevant electronic data requires the latest technological developments in computer forensics software.
  12. An organization’s ability to take a quick “snapshot” of volatile electronic data is recommended by NIST special publication 800-61 as a critical technical requirement for incident response.
  13. Proper analysis of electronic data on live systems requires those systems to be shut down.
  14. Counsel should require that protection and analysis of electronic data is done in a forensically sound manner to withstand evidence authentication challenges.
  15. Under the Health Insurance Portability and Accountability Act (HIPAA), documenting and reporting incidents, as well as responding to incidents, are an integral part of a security program.
  16. As a result of regulations implementing the Gramm-Leach-Bliley Act (GLBA), the FTC and FDIC have broad powers to fine and grant injunctive relief against organizations that fail to implement incident response practices as part of an overall information security plan.
  17. The California Business and Professions Code now requires companies to implement and maintain sophisticated procedures and practices to protect personal information from unauthorized access, destruction, use, modification or disclosure.
  18. California’s Mandatory Disclosure Law, SB 1386, applies only to companies operating in California.
  19. If a company is ISO 17799 compliant, it must be able to properly collect evidence in response to potential breaches of contract, regulatory violations or in the event of civil or criminal proceedings, such as a violation of data protection legislation.
  20. An effective incident response program can provide the basis for efficient electronic discovery in the event of litigation.
Contact Us Site Map Notices Privacy Policy
© 2024 The State Bar of California