Dealing with the neew MA ID protection law
Has anyone figured out how the new Massachusetts “Order Regarding the Security and Confidentiality of Personal Information," impacts vendors to effected state agencies (executive offices, boards, commissions, agencies, departments, divisions, councils, bureaus,and offices, now existing and hereafter established)?
This focuses internally but we all know the private sector is going to have to comply in order to do business. Has anyone been asked to implement new processes? What's your take on this?
MA Law:
http://www.mass.gov/Eoca/docs/idtheft/eo504.pdf
Are compliance regulations the right approach to preventing ID theft? Is there any realistic alternative? This part of the debate is posted here:
http://vpnhaus.wordpress.com
Good Answers (3)
Lynn W.
virtualization since Jan68, online at home since Mar70
Best Answers in: Financial Regulation (5), Information Security (5), Economics (4), Government Policy (3), Equity Markets (3), Risk Management (2), Blogging (2), Enterprise Software (2), Budgeting (1), Mergers and Acquisitions (1), Sales Techniques (1), Planning (1), Bond Markets (1), Derivatives Markets (1), Hedge Funds (1), Career Management (1), Computer Networking (1), Information Storage (1), Telecommunications (1), Web Development (1)
We had been tangentially involved with the cal state breach notification legislation. Some of the parties involved, had done detailed consumer surveys about privacy. The number one consumer privacy issue was identity theft ... a major component is "account fraud" (fraudulent financial transactions against existing accounts) resulting from the information leakage in breaches. There was little or no attention being paid to such breaches, so it seemed that there was some hope with the publicity from the notifications, it would start to prompt corrective action. Since the cal. breach notification legislation, many other states have passed similar legislation. There have also been two classes of "federal" notification bills proposed over the past couple yrs (those that are similar to the cal. legislation and those that would essentially pre-empt state legislation and eliminate most notification requirements).
I was also involved as co-author of the x9.99 financial privacy standard, which required paying attention to GLBA and HIPAA as well as taking into account EU-DPD
After having worked with small client/server startup that wanted to do payments on their server (they had this technology called SSL and the implementation is now frequently called electronic commerce) we were invited to be part of the x9a10 financial standard working group which in the mid-90s, had been given the requirement to preserve the integrity of the financial infrastructure for *ALL* retail payments. This is *ALL* retail , as in *ALL* credit, debit, stored-value, check, ACH, etc; as in *ALL* POS, internet, unattended, face-to-face, mobile, transit, contract, contactless, etc; and as in *ALL* low-value, medium-value, high-value, etc.
Part of this involved detailed, end-to-end threat and vulnerability studies of the environments ... which eventually resulted in x9.59 financial transaction standard
http://www.garlic.com/~lynn/x959.html#x959
n much of the current infrastructure, knowing the account number is sufficient for a crook to perform a fraudulent transaction. We've tried using a number of metaphors to describe the current infrastructure (fixed by x9.59):
* "dual-use vulnerability" metaphor
account number is required in a large number of different business processes and is required to be readily available. at the same time the account number has to be kept strictly confidential and never divulged to anybody (not even those needing it for business processes, since insiders have repeatedly been shown to be the major source of identity theft). we've claimed that even if the planet was buried under miles of information hiding encryption, that it wouldn't be sufficient to prevent information leakage.
* "security proportional to risk" metaphor
to the merchant, knowledge of the account number is worth some percent of the profit off the transaction; that same knowledge for the crook, is worth the account balance/credit-limit. as a result, the crook may be able to outspend by a factor of 100 times attacking the system (as the merchant can afford to spend protecting/defending the system).
* "naked transaction" metaphor
lots of naked transaction metaphor archived blog activity & posts
http://www.garlic.com/~lynn/subintregity.html#payments
Links:
- http://www.garlic.com/~lynn/x959.html#x959
- http://www.garlic.com/~lynn/subintegrity.html#payments
- http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf
Clarification added October 25, 2008:
With X9.59 it is no longer necessary to "hide" financial transactions to prevent account fraud and fraudulent financial transactions. This doesn't do anything to eliminate data breaches ... but it eliminates the major threats that are the result of most data breaches.
As an aside, the major use of SSL use in the world today is associated with hiding transmitted financial transactions as part of electronic commerce. X9.59 eliminates the need to use SSL for that purpose.
Clarification added October 27, 2008:
one of the issues with x9.59 financial standard uptake is that it
commoditizes much of the payment transaction infrastructure ... by
eliminating many of the existing threats, fraud, and vulnerabilities
.... as well as being lightweight and secure enough that it is
applicable across a broad range of implementations, values, and
deployments
part of addressing the ALL issue was coming up with parameterised risk
management framework. the broad scope of parameterised risk management
framework allows for things like the same exact infrastructure and
transactions to support single-factor authentication for low-value
transactions and multi-factor authentication for higher-value
transactions (somewhat analogous to not requiring signatures for
low-value credit transactions ... aka the same hardware token may
easily be used both with & w/o PIN depending on transaction value)
Clarification added October 27, 2008:
Following from Kansas fed discusses some of the issues:
Can Smart Cards Reduce Payments Fraud and Identity Theft?
http://www.kansascityfed.org/Publicat/ECONREV/PDF/3q08Sullivan.pdf
This is decade old post mentioning AADS chip strawman:
http://www.garlic.com/~lynn/aadsm2.htm#straw
although AADS chip work had started quite a bit earlier. AADS related discussions and patent references
http://www.garlic.com/~lynn/x959.html#aads
Rob S.
Cyber Security Lead, Cyber Security Practice at Black & Veatch
Best Answers in: Information Security (38), Staffing and Recruiting (2), Enterprise Software (2), Computer Networking (2), Business Insurance (1), Software Development (1), Using LinkedIn (1)
In the past, when breaches took place that compromised the privacy of personally identifying information, businesses covered them up. That's just a simple fact, as any security consultant who did incident response 8 years ago can tell you. Then, California passed SB 1386, and the business world was all aflutter. Their main concern wasn't that they had to implement any new security, or change how they did business. What the buzz was about was the simple provision that if they did suffer a breach that affected residents of California, they were bound by law to report it, publicly. Other states then went on to pass similar bills, many of them patterned after the provisions of SB 1386.
Guess what happened next? Breach after breach after breach became public. And as a result of that, the issue came to light, and people started doing more to protect this information. Do I think regulations are the best way to accomplish things? Definitely not. But in many situations, there has to be an outside party that dictates standards of conduct, or else a large number of organizations will act in their own best interests (as they are supposed to do), to the detriment of the public. And I think that given the track record on data security regarding PI, regulations like these are needed right now.
Javed I.
CISO/Chief Information Security Officer with security program bootstrap experience
Best Answers in: Information Security (49), Corporate Law (2), Corporate Governance (2), Web Development (2), Risk Management (1), Government Policy (1), Advertising (1), Quality Management and Standards (1), Career Management (1), Professional Networking (1), E-Commerce (1), Using LinkedIn (1)
Eric:
Some observations as a MA resident and an information security service provider.
1. As a consumer and state resident, I am glad MA is taking a leadership role. This is probably the toughest data breach notification law out there (we track all state laws for our customers)
2. Full disclosure: this will probably mean more business for my company, so I have some vested interest in this
3. All state agencies are required by this to adopt and maintain an information security program. They can NOT do this without ensuring their vendors are also maintaining an information security program (well, some of them anyway.. the company that washes the windows can probably be exempt)
4. This takes effect on 1/1/09. After that, the vendor security requirements will start trickling out, and my guess is will take over a year to reach everyone. We do lot of vendor security due diligence for our customers, and it is like pulling teeth. My prediction is, by the end of 2010 they will have about 50% compliance. (if they are lucky)
5. Compliance is the right _first_ step to preventing ID theft. It is a process--not something that can be achieved the day you become compliant (Hannaford was 100% PCI-DSS compliant and still had a massive breach)
Regards
Javed
