Safeguarding Corporate Information
New laws place equal emphasis on protecting company data and responding
to security breaches
By Mark E. Harrington
 |
Harrington |
On Sept. 29, 2004, Gov. Arnold Schwarzenegger approved four new laws extending
privacy protection in California. One of those laws, AB 1950, requires companies
that own or license unencrypted personal information about California residents
to “implement and maintain reasonable security procedures and practices”
for that data. (California Business and Professions Code §1798.81.5 (b))
The practices that companies will need to implement must be sophisticated and
multi-faceted, as they are required to protect the personal information from
“unauthorized access, destruction, use, modification or disclosure.”
(Cal. Civ. Code 1798.81.5 (c))
This latest California law is just another in a series of recent state and
federal laws requiring companies to implement processes and procedures for safeguarding
data and responding to incidents quickly and efficiently when a breach of those
safeguards occurs. The regulatory landscape governing information security requirements
for organizations places the same degree of emphasis on response processes as
well as prevention and detection. One of the central themes of these regulations
is that subject organizations are required to have capabilities able to timely
identify, contain, mitigate and disclose noteworthy incidents.
However, many of the laws that require corporate incident response are surprisingly
deficient in providing guidance on how a company practically implements an infrastructure
that will permit it to comply. This lack of guidance means that counsel will
ultimately have to manage the liability risk inherent in complying with new,
ill-defined laws.
Legal requirements
It has become commonplace, and even trendy, for federal and state laws and
regulations to include provisions regarding the protection of electronic data
and requirements relating to the establishment of internal controls. Section
404 of the Sarbanes-Oxley Act (SOX) calls for “internal control”
procedures that, according to the SEC, “[p]rovide reasonable assurance
regarding prevention or untimely detection of unauthorized acquisition, use
or disposition of the [company’s] assets that could have a material effect
on the financial statements.” While Sarbanes-Oxley was enacted out of
the national reaction to corporate fraud, the intention and impact of the SOX
legislation “extend(s) beyond the accounting functions of a company.”
(68 FR 36636, 36638) Establishing such internal controls will not only help
bring a company into compliance with SOX requirements, but also allow it to
develop a broader-based incident response system to meet the requirements of
other laws and regulations.
Several federal agencies have now issued information security regulations governing
the financial industry, which serve to implement the Gramm-Leach-Bliley Act
(GLBA). These regulations generally mandate that incident response processes,
consistent with best practices, be implemented as part of an overall information
security plan. The Federal Trade Commission’s (FTC) Safeguards Rule, for
instance, requires that covered entities maintain information security programs
that include “responding to attacks, intrusions or other systems failures.”
The FTC rules went into effect May 2003. The Treasury Department maintains interagency
“Safety and Soundness” security guidelines that specifically require
banks to implement “response programs that specify actions to be taken
when the bank suspects or detects that unauthorized individuals have gained
access to customer information systems, including appropriate reports to regulatory
and law enforcement agencies.”
Nearly identical regulations are present under the Health Insurance Portability
and Accountability Act (HIPAA). Specifically, HIPAA guidelines note that “[d]ocumenting
and reporting incidents, as well as responding to incidents, are an integral
part of a security program.” (HIPAA regulations, 45 CFR Part 164.308(a)(6))
The Federal Financial Institutions Examination Council (FFIEC), in its role
of augmenting these FTC and Treasury Department regulations with specific guidelines
for GLBA compliance, published its “IT Examination Handbook (FFIEC Handbook),”
which addresses incident response and computer forensics in detail as part of
the overall information security infrastructure. By stating “risk mitigation
only occurs through an effective and timely response,” the FFIEC Handbook
identifies three key areas an incident response framework should include:
- Isolation of compromised systems or enhanced monitoring of intruder activities;
- A search for additional compromised systems; and
- Collection and preservation of evidence.
Under GLBA Section 505, agencies such as the FTC, Office of the Comptroller
of the Currency (OCC) and Federal Deposit Insurance Corporation (FDIC) may enforce
GLBA with strict penalties such as fines and injunctive relief. For example,
the FDIC may enforce violations under Section 8 of the Federal Deposit Insurance
Act, which gives the FDIC authority to impose penalties ranging from $5,000
per day up to $1 million. GLBA §§521 and 523 also provide enhanced
criminal penalties for persons who gain fraudulent access to protected financial
information.
Similar to AB 1950, the California Mandatory Disclosure Law, known as SB 1386,
requires an organization to inform its customers if any of those customers’
personal data is compromised as a result of a security breach. This legislation
is broad in scope as it affects any organization operating in California and/or
has California businesses or residents as clients.
If a security breach occurs, organizations must determine if personal data
has been accessed, modified or deleted in a reasonable time frame. In order
to effectuate a timely and accurate analysis to determine if personal data has
been compromised, an enterprise incident response and investigation infrastructure
is necessary.
Corporate counsel are also increasingly becoming familiar with ISO 17799, which
was formerly adopted in December 2000 by the International Standards Organization
as a “code of practice for information security” (ISO 17799 or,
“the standard”). While ISO 17799 addresses many aspects of information
security and internal controls, the need for formal incident response procedures
and tools is a significant and integral part of the ISO 17799 equation.
According to the standard, “[i]nformation security is achieved by implementing
a suitable set of controls.” (Id. Section 8.1.3. Note also that security
incidents should be reported to management as soon as possible, which requires
the ability to make a prompt assessment of the incident. Id. Section 6.3.1.)
Among the necessary measures identified by the standard that establish “suitable
controls” is an incident response process that enables an enterprise to
“minimize the damage from security incidents and malfunctions, and . .
. monitor and learn from such incidents.” Id.
As an initial matter, ISO 17799 recommends that an enterprise should establish
procedures “to ensure a quick, effective and orderly response to security
incidents.” Id. These procedures should cover:
- analysis and identification of the cause of the incident;
- planning and implementation of remedies to prevent recurrence, if necessary;
- collection of audit trails and similar evidence;
- communication with those affected by or involved with recovery from the
incident;
- reporting the action to the appropriate authority. Id.
The enterprise that has suffered a security incident must properly collect
evidence for three purposes:
- internal problem analysis;
- use as evidence in relation to a potential breach of contract, breach of
regulatory requirement or in the event of civil or criminal proceedings, e.g.
under computer misuse or data protection legislation;
- negotiating for compensation from software and service suppliers. Id.
Incident response best practices
In determining compliance with regulations and requirements by the courts,
current technology is an important factor in determining best practices. In
United States v. Greathouse, a federal court determined that best practices
for an on-site computer forensic search of multiple networked computers would
be determined by the latest “technological developments” in computer
forensics software. (297 F.Supp.2d 1264 (D.OR 2003); 2003 WL 23110388) This
important legal decision and other similar decisions clearly establish that
compliance is driven by best practices, which is a standard that evolves with
available technology.
When processing computer evidence for judicial purposes, a party has “a
duty to utilize the method that would yield the most complete and accurate results.”
Gates Rubber Co. v. Bando Chem. Indus. Ltd. 167 F.R. D. 90 (D.C. Col
1996). An enterprise can meet the duty stated in Gates Rubber Co. by employing
the best forensic tools available in its response to a security incident. Furthermore,
ISO 17799 calls on enterprises to use computer forensics to preserve the admissibility
of evidence: “For information on computer media: copies of any removable
media, information on hard disks or in the memory should be taken to ensure
availability. The log of all actions during the copying process should be kept
. . . (ISO 17799, Section 8.1.3)
As detailed above, this sort of obligation requires the enterprise to be able
to collect and preserve evidence in a forensically sound manner. As a result,
an enterprise that does, or expects to do, business with an ISO 17799 compliant
organization should employ the best forensic tools available for use in its
response to security incidents.
In addition to providing a response mechanism for network intrusions, an enterprise
incident response capability offers broad application to many forms of enterprise
investigations, including investigating various insider threats, policy violations,
employee disputes and internal financial fraud. Under Sarbanes-Oxley, internal
investigations are a critical control activity for addressing internal fraud
and preventing and mitigating the destruction of computer evidence — an
enumerated criminal penalty set forth in the Sarbanes-Oxley statute.
Key to an organization embracing the role of incident response in compliance
is knowledge. Significant education must occur, as CIOs, CSOs and legal counsel
must understand these existing regulations, the standard of care they require
and the relevance and availability of newer technologies enabling broader compliance.
Over the past few years, enterprise incident response (EIR) technology has
emerged to provide very compelling incident response and computer forensics
technology across a wide-area-network (WAN). This new technology, primarily
software-based, helps address several shortcomings in current enterprise security
processes. Notably, the capabilities of EIR not only provide essential functionality,
but also a map to many of the regulatory requirements. The key functionality
of EIR includes:
IMMEDIATE RESPONSE CAPABILITY. A key benefit of EIR is its revolutionary
ability to conduct immediate and thorough forensic analysis of any system on
a WAN. Many financial institution agencies have deployed EIR for immediate,
global incident response and computer forensic capabilities. These capabilities
enable organizations “to identify [a] crisis as soon as it occurs, assess
its materiality, and control the reputation risk associated with any disruption
in service,” as required by the FFIEC. Once an incident is identified
and confirmed, an EIR can engage in critical remediation activities, such as
shutting down rogue processes and closing unauthorized ports.
INITIAL SYSTEM SNAPSHOT AND ANALYSIS OF VOLATILE DATA. NIST special
publication 800-61 outlines that the “initial system snapshot” function
is a critical technical requirement for incident response. The system snapshot
capability of EIR is specifically designed for rapid and thorough incident response
analysis. A snapshot of all volatile data, such as open ports, open files, running
processes and the live registry, is quickly obtained from any compromised system
on the WAN. This critical aspect of incident response enables very rapid identification
and assessment of an incident. Additionally, EIR can capture and examine volatile
data from several systems at once. This is important, especially when the exact
location of the compromise must be determined. It enables the incident response
team to rapidly “search for additional compromised systems” as required
by the FFIEC guidelines.
ANALYSIS OF LIVE SYSTEMS WITH MINIMAL INVASIVENESS. Another important
advantage of EIR is its ability to analyze live systems in a sound, forensic
manner that is invisible to the user or attacker without taking the systems
offline. As noted by the FFIEC and NIST, maintaining business continuity is
a critical operational necessity. While the guidelines note the need for a proper
forensic analysis is often balanced against the operational interest of maintaining
business continuity, EIR does not require any such compromise.
CENTRALIZATION AND INTEGRATION WITH INCIDENT IDENTIFICATION SYSTEMS.
To be truly effective and a substantial component of the overall information
security architecture, an EIR should be centralized and able to identify and
have rapid access to all servers and workstations on the wide-area-network from
a Security or Network Operations Center.
PROACTIVE COMPROMISE ASSESSMENT CAPABILITIES. In addition to
targeted and rapid response, an EIR can search multiple systems (up to several
thousand an hour) to identify previously undetected compromises. This is important
for incident response purposes, as if one system is compromised; it is highly
possible that other systems are also compromised. Additionally, this enables
a proactive approach to seek out unknown compromises and effectively address
zero-day events.
COURT-ACCEPTABLE COMPUTER ACQUISITION AND FORENSIC ANALYSIS.
EIR technology is based on comprehensive, robust computer forensic analysis
capability. This means the analysis is non-invasive, works below the operating
system to identify hidden and deleted data and meets legal requirements for
authentication of any gathered evidence. These capabilities are essential in
ensuring examination accuracy, enabling successful prosecution of company interest(s)
in court and compliance with mandated incident reporting requirements.
Without a robust technical infrastructure to support it, incident response
is limited in its scope and effectiveness. These technical capabilities of an
EIR are thus important as they enable greatly improved security incident response
processes and a more effective information security architecture.
Conclusion
In order to meet the ever-growing requirements of federal and state laws and
regulations, corporate counsel must play a vital role in establishing and ensuring
that a company’s incident response program comports with best practices.
If properly organized and monitored, corporate counsel should be able to rest
easier knowing that electronic data is properly secured and, that if a breach
occurs, the company can quickly and efficiently secure the impacted information.
Mark Harrington is associate general counsel for Guidance Software
Inc., where he focuses on the preparation and negotiation associated with business
agreements and in shaping company policy with the in-house legal team. He also
is a board member of the Association of Corporate Counsel, Southern California.
Certification
- This self-study activity has been approved for Minimum Continuing Legal
Education credit by the State Bar of California in the amount of one hour.
- The State Bar of California certifies that this activity conforms to the
standards for approved education activities prescribed by the rules and regulations
of the State Bar of California governing minimum continuing legal education.
Self-assessment test
Answer the following true-false statements after reading the MCLE article on
Rule of Professional Conduct 2-100. Use the answer
form provided to send the test, along with a $20 processing fee, to the
State Bar. If you do not receive your certificate within four weeks, call 415-538-2504.
- So long as an organization can respond to a discovery request or place a
litigation hold, there is no legal requirement for it to be proactive in safeguarding
its electronic data.
- A company firewall is adequate electronic data protection.
- Best practices of data protection requires a forensically sound method for
protecting and searching data within an organization.
- Sarbanes-Oxley calls for “internal control” procedures that
extend beyond the accounting functions of a company.
- Under the Federal Trade Commission’s (FTC) Safeguards Rule, a covered
entity is advised but not required to enact a security program that includes
“responding to attacks, intrusions or other systems failures.”
- California companies must implement and maintain reasonable security procedures
and practices if they own or license unencrypted personal information about
California residents.
- Most laws requiring corporate incident response capabilities include guidance
on how to implement such an infrastructure.
- California’s Mandatory Disclosure Law requires an organization to
inform its customers if any of the customer’s personal data is compromised
as a result of a security breach.
- A complete incident response infrastructure must include the ability to
conduct investigations over the enterprise’s wide-area-network (WAN).
- ISO 17799 advises that enterprises use computer forensics to preserve the
admissibility of evidence.
- Federal courts have determined that best practices for safeguarding and
searching for relevant electronic data requires the latest technological developments
in computer forensics software.
- An organization’s ability to take a quick “snapshot” of
volatile electronic data is recommended by NIST special publication 800-61
as a critical technical requirement for incident response.
- Proper analysis of electronic data on live systems requires those systems
to be shut down.
- Counsel should require that protection and analysis of electronic data is
done in a forensically sound manner to withstand evidence authentication challenges.
- Under the Health Insurance Portability and Accountability Act (HIPAA), documenting
and reporting incidents, as well as responding to incidents, are an integral
part of a security program.
- As a result of regulations implementing the Gramm-Leach-Bliley Act (GLBA),
the FTC and FDIC have broad powers to fine and grant injunctive relief against
organizations that fail to implement incident response practices as part of
an overall information security plan.
- The California Business and Professions Code now requires companies to implement
and maintain sophisticated procedures and practices to protect personal information
from unauthorized access, destruction, use, modification or disclosure.
- California’s Mandatory Disclosure Law, SB 1386, applies only to companies
operating in California.
- If a company is ISO 17799 compliant, it must be able to properly collect
evidence in response to potential breaches of contract, regulatory violations
or in the event of civil or criminal proceedings, such as a violation of data
protection legislation.
- An effective incident response program can provide the basis for efficient
electronic discovery in the event of litigation.
|