Author Mark

Author Mark

Should Your Business Have a Privacy Policy?

Tags: , , , Privacy, Privacy Policy, Small Business No comments

Small business owners often ask me the following questions about privacy policies:

  1.   What is a privacy policy (notice, statement, etc.) (“Privacy Policy”)?
  2.   Does my business need one?
  3.   What should be included in a privacy policy?

I am usually surprised by 1, although I should not be since ½ of online Americans don’t know what a privacy policy is.  But that question is reasonably straightforward to answer:

Privacy Policy (df): Statement or document about how a company or website collects, uses, and discloses, information about a visitor. It usually declares what specific information is collected, the purpose for collecting it, how a company uses the information, and whether it is shared with others.

The purpose of a Privacy Policy is to give notice to an individual that the business is collecting information about the particular consumer, the types of information being collected, and what’s being done with that information. For example, check out Target’s privacy policy.

2 and 3 require a little more consideration as the answers are not clear-cut, and some businesses may be better off without a Privacy Policy.

DOES MY BUSINESS NEED A PRIVACY POLICY?

As with many things in life, the answer to this question for businesses in the United States is “it depends.” There is no federal law that requires every business to have a privacy policy that discloses how the business collects, uses and discloses information collected from potential customers.

Some types of businesses, however, are required to have Privacy Policies because of specific federal or state laws that apply, as well as certain business activities they engage in.

Businesses Required to have Privacy Policies

There are several ways a business can be forced to have a Privacy Policy:

Federal and State Laws

California Online Privacy Protection Act California Bus. & Prof. Code §§ 22575-22578: Requires an operator, defined as a person or entity that collects personally identifiable information from California residents through an internet website or online service for commercial purposes, to post a conspicuous Privacy Policy on its website or online service (which may include mobile apps) and to comply with that policy. Among other things, the law requires the Privacy Policy to identify the categories of personally identifiable information collected about consumers and the third parties with whom the operator may share the information.

Connecticut Gen. Stat. § 42-471: Requires any person who collects Social Security numbers [presumably of Connecticut residents] in the course of business to create a privacy protection policy. The policy must be “publicly displayed” by posting on a web page and the policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

Children’s Online Privacy Protection Act of 1988:  Requires (1) operators of websites and online services directed at children under the age of 13, including mobile app developers, and (2) operators of general audience websites and online services, who know that they are collecting personal information about children under the age of 13, to post a Privacy Policy on the homepage of their website and a link to the Privacy Policy on every page where personal information is collected.  Very detailed requirements of what needs to be included in Privacy Policy. See e.g. Relay Recess COPPA Privacy Policy.

Gramm-Leach Bliley Act:  Requires financial institutions to provide clear and conspicuous privacy notice to consumers initially and annually about the institution’s information-sharing policies and practices.  Privacy notice must contain the following: what information the financial institution collects about its consumers and customers; with whom it shares the information; how it protects the information; and an explanation of how a consumer can opt out. See e.g. Chase U.S. Consumer Privacy Notice.

Health Insurance Portability and Accountability Act of 1996:  Requires covered entities (Healthcare providers, Health plans, and others) to provide a detailed privacy notice at the date of first service delivery. Very specific detailed elements that must be included in the privacy notice, including detailed statements about individual’s rights with respect to their personal health information.  See e.g. Health and Human Services Model Notice of Privacy Practices.

If any of these statutes apply to your business, you must have a Privacy Policy or face the penalties for non-compliance.  Consult with an attorney or the applicable statute and regulations to ensure that your Privacy Policy contains the required elements as each of the statutes differs.

International Law

Your business also must have a Privacy Policy if you conduct business or collect information about citizens in the European Union, Canada, and many other countries.   Many countries have more universally applicable laws regarding data privacy than the United States and every business that collects personal information about individual citizens needs to have a Privacy Policy.   Consult with a local attorney in the specific country where you conduct business to ensure that your Privacy Policy and other aspects of your business comply with applicable data privacy laws.

Google AdSense

Another business activity that requires your business to create a Privacy Policy is displaying Google AdSense advertising on your website.  As part of the  terms and conditions, Google AdSense requires you to “have a clearly labeled and easily accessible privacy policy that provides end users with clear and comprehensive information about cookies, device-specific information, location information and other information stored on, accessed on, or collected from end users’ devices. . . .”

Failure to do so may lead Google to suspend or terminate your account, and prohibit you from creating a new account or monetize content on other Google products.  Consult with an attorney to make sure that your privacy policy contains all of the elements required by Google AdSense.

Mobile App Developers

Another business activity that requires a Privacy Policy is developing mobile applications (“Apps”).   In 2012, California struck an agreement with the six largest platforms for mobile apps (Apple, Google, Microsoft, Amazon, Hewlett-Packard, and Research in Motion), where the platforms agreed to a set of principles for mobile apps that would ensure compliance with California Online Privacy Protection Act.

These platforms will require developers of apps that collect personal information to include Privacy Policies in their apps that can be reviewed before consumers download the app. Thus, if you want your app downloaded from these platforms, your app needs a Privacy Policy that complies with California’s laws. Consult with an attorney to make sure that your Privacy Policy includes all of the elements required by California law.

Businesses Not Required to Have Privacy Policy

If none of the above situations apply, your business does not need a Privacy Policy. Many businesses, however, choose to adopt a Privacy Policy, particularly on their website.  These businesses want to create a competitive advantage for their business and believe that customers value their privacy and will choose businesses that care about privacy.  Also, for some businesses – such as social media – customers expect to have a Privacy Policy before turning over their personal information and want to know what the company is going to do with it.

It’s unclear whether these are valid reasons for adopting a Privacy Policy.   First, not many consumers actually read and/or understand the privacy policies included on websites.   A recent study by Internet Society revealed that less than half (42%) of U.S. citizens read Privacy Policies most of the time or all of the time on websites or internet services used.  I actually think that it’s probably much less than 42%, since I have yet to find anybody (except for a privacy attorney) that has read a Privacy Policy more than once!  That’s not surprising, since a recent study found that it would take approximately 76 working days to read all of the Privacy Policies from websites visited in a single year. Thus, it’s hard to see a Privacy Policy can show customers that a business cares about privacy since customers are not even reading them.

Second, Privacy Policies create an enormous risk for a lawsuit or government investigation if your business does not accurately represent your information collection, use, or disclosure practices. For example, the FTC recently brought a case against Snapchat, in part, over alleged misrepresentations made in Snapchat’s Privacy Policy about Snapchat’s information collection practices.

Snapchat apparently transmitted geolocation data from users of its Android App, despite a Privacy Policy that says that Snapchat did not track or access such information. Snapchat also allegedly collected contacts information from iOS user’s address book despite claiming that the app only collected the user’s email, phone number and Facebook ID for the purpose of finding friends.  Snapchat ultimately settled with the FTC and is required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.

The Snapchat case, as well as other cases, shows that statements and promises made in your Privacy Policy can come back to haunt your business.  The statements made in a Privacy Policy are promises made to users about what your business is doing with their information.  If the Policy does not reflect your businesses’ actual information collection or use practices, then you can be sued or investigated for misrepresentations.  And if your business ever suffers a data breach, any lawsuit over the data breach will invariably raise a claim for making misrepresentations in your Privacy Policy.  See e.g. In re: Target Corp. Customer Data Security Breach Litigation, MDL No. 14-25222, Consolidated Class Action Complaint, D. Minn. 2014, at ¶¶127-134.

So if you are considering whether to adopt a Privacy Policy, consult with an attorney to see whether it makes sense for your business. And if you decide to adopt a Privacy Policy, make sure the Policy accurately reflects your information collection, use and disclosure practices. Below are some best practices about what would be included in a Privacy Policy and where it should be displayed on your website.

BEST PRACTICES IN CONNECTION WITH PRIVACY POLICIES

Conspicuously Display Privacy Policy

If you need a Privacy Policy, or decide to have one, post a link to this document on your website in a conspicuous, easy-to-find location.  The home page of your website is the best place as it will be available to site visitors before they ever submit any private or personally identifiable data on your website.  The font used should be large enough for site visitors to view easily.  Also, if you own an e-commerce website, the link to the Privacy Policy should also be prominently displayed on any products page and in the shopping cart.

Disclose Information Collection and Use Practices

One of the most important aspects of a Privacy Policy is to explain the types of information collected on your website and how your business uses the information. The following should be clearly explained regarding your information practices:

  • Types of Information: The types of information collected and used;
  • Purpose: The purpose of collecting this type of information;
  • Cookie Policy: Your practices regarding cookies, including any tracking cookies;
  • Do Not Track Policy: Many browsers have a “do not track” feature that lets users tell websites that they do not want to have online activities tracked. Make sure and state whether your website will respond to browser “do not track” signals.
  • Sharing/Selling Practices: Information about all parties, including third-parties, that you will share or sell information to;
  • Contact Information: Your contact information and the contact information of all third parties who receive the information from your website in case customers have a question or want to make a complaint.

Choice

Your Privacy Policy should explain what options the consumer has with respect to how/whether her data is collected and used by your website. For any choice, provide the customer with a way to opt-out of the information collection or use practice. For example, you may give customers the choice of not receiving any promotional materials, so you would provide them with an email or phone number by which they can opt-out of receiving this material.

Access

Your Privacy Policy should explain how a customer can see what data has been collected by your business about him/her and how the customer can change or correct the data if necessary. Provide a way that a consumer can contact you to make any changes and then be sure to honor any requested changes.

Security

Your Privacy Policy should state the security measures that you have implemented and how any data that is collected or stored is protected. Be accurate about your security practices and give an honest assessment. Far better to under promise and over deliver. Don’t say that your organization follows all applicable laws regarding data protection if you are uncertain about all legal requirements or that your business is actually following them. These promises can come back to haunt you if you have a data breach.

Redress

Your Privacy Policy should provide a way that a customer can contact you and seek redress if the Policy is being violated.  It should also include a limitation of liability for any damages that may be suffered by any breach of your Privacy Policy or for use of your website.

Updates

Your privacy Policy should inform users about how changes to the Privacy Policy will be communicated.  Document all changes to your Privacy Policy over the years and keep all versions of your Privacy Policy.  You never know when a regulator or individual will ask questions about a particular Privacy Policy version.

That’s it for this week.  Hope everyone is not getting buried in snow like me.  Please let me know if you have any questions or comments about Privacy Policies or anything else related to privacy.

Credit Card Security for Small Business (Pt. 2)

PCI DSS, Preparation, Prevention, Privacy, Security, Small Business 1 comment

In the last blog post, I discussed the first 2 steps of the 4 step process that small businesses need to follow to comply with the Payment Card Industry Data Security Standards (“PCI DSS”):

1.  PCI DSS Scoping – Determines what organization system components and computer networks are in scope for PCI DSS assessment.

2. Assessing – Exam and assess the compliance of system component and computer networks in scope following the testing procedures for each PCI DSS Requirement.

3. Reporting – PCI DSS Qualified Security Assessor (QSA) and/or business submits required documentation to validate compliance with PCI DSS, including documentation of all compensating controls.

4. Clarifications – QSA and/or business clarifies ROC and/or SAQ, if needed, at the request of the acquiring bank, or payment card brand.

This week I’ll look at the remaining 2 steps.

III. REPORTING

Reports are the official mechanism by which a business validates compliance with PCI DSS to your acquiring bank or payment card brand. Depending on the payment card brand and the acquiring bank, any of the following reports may be required:  Report on Compliance (ROC); Self-Assessment Questionnaire (SAQ); Quarterly scanning reports from Approved Security Vendors (“ASV”), if required; and possible others.

The form and extent of your validation reporting is made by your acquiring bank in accordance with the validation requirements set by the payment card brands. Visa, for example, divides merchants into 4 different risk levels based on the aggregate Visa transaction volume over a 12 –month period.  The more transactions a merchant handles, the greater the validation reporting requirements:

 

Level/Tier Merchant Criteria Validation Requirements
Level 1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region  • Annual ROC by Qualified Security Assessor (“QSA”) or Internal Auditor if signed by officer of the company

o The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor (“ISA”) certification.

• Quarterly network scan by ASV
• Attestation of Compliance Form

Level 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) • Annual SAQ
• Quarterly network scan by ASV
• Attestation of Compliance Form
Level 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually • Annual SAQ
• Quarterly network scan by ASV
• Attestation of Compliance Form
Level 4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually • Annual SAQ recommended
• Quarterly network scan by ASV if applicable
• Compliance validation requirements set by merchant bank

 

A merchant that suffers a data breach is automatically increased a level and may be required to fulfill the Level 1 validation requirements, even though it does not handle over 6 million Visa transactions.  MasterCard, Discover, and American Express also base validation requirements on transaction volume, although American Express breaks down the numbers a little differently.

Report on Compliance (ROC)

ROC’s are the most detailed and complicated of the validation reports required by the PCI Security Standards Counsel. ROC’s provide details about the organizations’ environment, assessment methodology, and documents the organization’s compliance for each PCI DSS Requirement.

The Official Template of the ROC for use with PCI DSS v.3.0 needs to be used by any QSA completing a ROC PCI DSS assessment for a business. The template includes the following sections:

  • Executive Summary – Description of organization’s payment card business and high level network diagram.
  • Description of Scope of Work and Approach Taken– Description of how the assessment was made, environment, network segmentation used, details of each sample set selected and tested, wholly owned or international entities requiring PCI DSS compliance, wireless networks or applications that could impact security of cardholder data, and version of PCI DSS used to conduct the assessment.
  • Details about Reviewed Environment – Diagram of each network, description of CDE cardholder data environment (“CDE”), list of all hardware and software in CDE, service providers used, third party payment applications, individuals interviewed, documentation reviewed, and details of managed service providers.
  • Contact Information and Report Date
  • Quarterly Scan Results – Summary of four most recent ASV scan results
  • Findings and Observations – Detailed findings on each requirement and sub-requirement, including explanation of all N/A responses and validation of all compensating controls.

As you can likely tell, the ROC is enormously complicated and expensive.  ROC’s are usually only required for entities that handle a significant number of transactions (over 6 million for Visa, MasterCard and Discover) or who have previously had a data breach.  They should only be completed by a QSA or ISA.  If you need a QSA, check out this list of approved QSA’s here.

Self Assessment Questionnaires (SAQ)

Most small businesses have less than 6 million credit card transactions and only need to file an annual SAQ rather than a ROC. A SAQ includes a series of yes-or-no questions about your security posture and practices with respect to each applicable PCI DSS requirement. If you answer “no” to a question, the business may be required to document the remediation steps that will be taken to correct the defect and when the remedial steps will be complete.

The type of SAQ that you business needs to complete depends on the manner in which you accept credit cards:

 

SAQ Description
A Card-not-present merchants (e-commerce or mail/telephone-order) that fully outsource all cardholder data functions to PCI DSS compliant third-party service providers. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.Not applicable to face-to-face channels.
A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.Applicable only to e-commerce channels.
B Merchants using only:
• Imprint machines with no electronic cardholder data storage; and/or
• Standalone, dial-out terminals with no electronic cardholder data storage.Not applicable to e-commerce channels.
B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor. No electronic cardholder data storage.Not applicable to e-commerce channels.
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.Not applicable to e-commerce channels.
C Merchants with payment application systems connected to the Internet. No electronic cardholder data storage.Not applicable to e-commerce channels.
P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.Not applicable to e-commerce channels.
D SAQ D for Merchants:  All merchants not included in descriptions for the above SAQ types.SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ.

 

Each SAQ is only intended to be used by the merchant that fits the description, and the questions are tailored to the PCI DSS requirements suitable to that type of credit card processing.  As such, some of the questionnaires have fewer questions and are easier to complete than others because the merchant has less contact with credit card data.  Choose the questionnaire that fits your business.  If you’re not sure what type of SAQ to fill out, check with your acquiring bank that can provide guidance.  Many processors will even fill out the self-questionnaire for you (usually for a fee), but you should make sure to review to ensure that it is the right one.

Quarterly Network Scans

As discussed last week, an organization usually has to have quarterly scans of their systems by an Approved Scanning Vendor (ASV) to check for internal and external vulnerabilities.  See Credit Card Security for Business (part I) at no.11, see also PCI DSS Requirements and Assessment Procedures at Req. 11.  Hire an ASV to conduct your quarterly scanning and follow the recommendations of your acquiring bank regarding the form and process for reporting compliance.

Attestation of Compliance

The Attestation of Compliance (“Attestation”) is your organization’s declaration that the relevant PCI requirements have been met.  There are 9 different versions of the Attestation, depending on which specific SAQ or ROC use.  If your business uses a ROC, use the Attestation for ROC’s.  If it uses SAQ A then use Attestation for SAQ A. And so on.

Each Attestation requires your business to provide:

  • Details about the business and the individual conducting the PCI DSS Assessment;
  • Executive summary of the manner in which your business accepts credit cards, the CDE covered by the assessment, third-party service providers, and your eligibility to use the validation report being used (ROC, SAQ A, SAQ A-EP, etc.);
  • Date that validation report was completed;
  • Whether your business complies with all of the PCI DSS requirements specified in the validation report;
  • Action Plan for any Non-Compliant Requirements.

The Attestation should be accurate and without misrepresentations regarding that status of your PCI DSS compliance. It’s far better to identify certain deficiencies and develop a plan for mediating them, rather than making a false statement to secure compliance.

IV. CLARIFICATIONS

Occasionally, the acquiring bank or credit card brand will ask for a clarification regarding some aspect of your PCI DSS compliance. Do not panic! This is not uncommon. Cooperate fully and be as helpful as possible to understand and solve the problem. Forward copies of any documents requested, and make sure to properly document any request, your answer, and any documents that are sent.

If your acquiring bank wants to conduct a PCI DSS Audit, comply fully. A PCI DSS Audit usually occurs when a data breach is suspected. If notified of an upcoming audit, gather all relevant information related to PCI DSS compliance and have it ready for the inspectors when they arrive. You want the audit team to rest assured that you take PCI DSS compliance seriously and are on-board for full cooperation. This will make the process smoother and get your business up and running again as soon as possible.

The audit team comes in and checks to see whether a security breach has occurred and the circumstances of the breach. The auditors also determine whether your business is actually compliant with PCI DSS requirements. If your business meets PCI DSS requirements, you are not responsible for any fines, credit card replacement fees, or fraud refunds that result from the breach. If your business is not compliant, you are potentially on the hook for any of these costs.

That’s it for this week. Thanks for reading. Let me know if you have any questions regarding PCI DSS or anything else.

Credit Card Security for Small Business (Pt. 1)

Business, Data Breach, PCI DSS, Prevention, Privacy, Security, Uncategorized 3 comments

Staples recently suffered a data breach that resulted from malware infecting its point-of-sale (“POS”) systems at several stores.  This should not be surprising, since a recent study by Verizon showed that a significant portion of data breaches are the result of POS system intrusions. So what’s a business to do?

Many small businesses avoid this problem by refusing to accept credit cards and only accepting cash or checks.  But that’s not a solution for businesses that wants to accept credit cards.  For these merchants, the only realistic solution is to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).

PCI DSS is administered and managed by the Payment Card Security Standards Council (PCI SSC) that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).  PCI DSS is a rigorous set of security requirements (“Requirements”) designed to ensure that all companies that process, store or transmit credit card information maintains a secure environment in order to protect cardholder data.  “Cardholder data” is any personally identifiable data associated with a cardholder, such as an account number, expiration date, name, address, social security number, etc.

Every merchant that accepts credit cards agreed to abide by the PCI DSS as part of their merchant account processing agreement. See e.g., NPC Merchant Processing Agreement at § 12.B.ii, 14.O. Failure to adhere to these requirements can lead to stiff penalties, an exorbitant PCI DSS non-compliance fee, and/or increased transaction fees or a termination of the right to accept credit cards.

If a security incident, such as a data breach, occurs, a business is potentially liable for the following charges:

  • Data Security Fine– Up to $500,000 fine per security incident.
  • PCI Non-Compliance Fines– Up to $50,000 per day for non-compliance with published standards.
  • Card Replacement Fees– $3 – $10 per card x total number of cards compromised.
  • Refund Fees– Potentially held liable for all fraud losses incurred from compromised account holders.

These penalties are assessed by credit card brands, acquiring bank, and the merchant’s credit card processor, and are in addition to other losses, such as harm to business reputation, that can result from a data breach, as I discussed in an earlier blog post.

To avoid this parade of horribles and decrease the likelihood that cardholder data will be lost, small to mid-sized businesses need to regularly comply with PCI DSS requirements.

Compliance with PCI DSS is an ongoing process and typically involves the following four steps:

  1. PCI DSS Scoping– Determines what organization system components and computer networks are in scope for PCI DSS assessment.
  2. Assessing– Exam and assess the compliance of system component and computer networks in scope following the testing procedures for each PCI DSS Requirement.
  3. ReportingPCI DSS Qualified Security Assessor (QSA) and/or business submits required documentation to validate compliance with PCI DSS (e.g., Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls.
  4. Clarifications– QSA and/or business clarifies ROC and/or SAQ, if need at the request of the acquiring bank, processor or payment card brand.

The first two steps will be discussed in this week’s blog post and the last two will be discussed next week.

I.   SCOPE OF PCI DSS REQUIREMENTS

The first step of PCI DSS is to accurately determine the scope and breadth of the environment in your business regarding credit cardholder data.  The Cardholder Data Environment (CDE) is composed of all people, processes and technology that handle or have access to cardholder data or sensitive authentication data.  The scoping process includes identifying all system components that are located within or connected to the CDE and can include the following:

  • Network devices (wired and wireless)
  • Servers
  • Applications
  • Virtualization components, such as virtual machines, virtual switchers/routers, virtual appliances, virtual applications/desktops, and hypervisors.

Scoping needs to occur at least annually and prior to the annual assessment for PCI compliance validation. An organization must identify all locations and flows of cardholder data to ensure that all applicable parts of the CDE are included in the scope of PCI DSS assessment.

Network Segmentation

One helpful way to reduce the scope of PCI DSS assessment is to use segmentation, which isolates cardholder data environment from the remainder of your organization’s network.  Reducing the scope of PCI DSS assessment can lower the cost and difficulty of maintaining PCI DSS controls and reduce the risk for you business.

To be outside the scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that the security of cardholder data would not be compromised if the security of the out-of-scope component was compromised. More details on segmentation are contained in the Requirements at p. 11 and in Appendix D.

Use of Third Party Service Providers/Outsourcing

Another helpful way to reduce the scope of your PCI DSS assessment is by using a third-party to store, process or transmit cardholder data on your behalf or to manage CDE components. If you use third party service providers, however, you must clearly identify the specific roles and responsibilities of the service provider with respect to cardholder data and PCI DSS. PCI DSS specifically calls for developing and maintaining a responsibilities matrix for each service providers. See id. at Requirement 2.2.1.

Many service providers have these matrices available to describe their standard service to PCI merchants. To obtain one, simply ask for the “PCI Responsibilities Matrix.” If your service provider does not have any idea what you are talking about, it’s time to find a new service provider. PCI DSS allows you to outsource much of the handling of cardholder data to third-parties, but you cannot avoid responsibility for ensuring that the data is kept secure and complying with PCI DSS.

II.  PCI DSS ASSESSMENT

The second step is to assess whether your business’s CDE complies with the 12 PCI DSS Requirements and the accompanying procedures contained in the Requirements. There are two main ways to fulfill your assessment obligations:

  1. Hire a PCI DSS QSA
  2. Do-It-Yourself

Hiring a PCI DSS QSA

PSI DSS QSA’s are organizations that have been certified by the PCI Security Standards Council to assess compliance with PCI DSS standards. QSA’s perform data security assessments, make recommendations, and certify compliance. Hiring a QSA will save you the time it would take to perform your own PCI DSS assessment and provide you with the peace of mind that the job was done properly.

The big downside to hiring a QSA is cost. QSA fees are generally quite expensive. One quote charged a base $5,000 fee plus $200 for every hour. Additional costs may include the equipment/software to fix whatever problems the QSA finds, which is also costly.

If you’re interested in hiring a QSA, here is a list of PCI DSS certified QSA companies.

Do-It-Yourself

Another way to assess your CDE for PCI DSS compliance is to do-it-yourself.  This may seem like a daunting task but it can be done and may not be that difficult depending on the complexity of your organization and how you process cardholder data.  The PCI SSC website provides a helpful section here that is geared towards helping small merchants comply with the Requirements.

The website also provides a helpful Quick Reference Guide that summarizes the Requirements.  It is a must-read for any business that accepts credit cards and is considering conducting their own PCI DSS assessment.  The Guide is a fairly readable 40 pages with helpful tips and explanations.

Here’s a brief overview of the Requirements and some tips for assessing in order to give you an idea of about whether self-assessment is feasible. This overview is not sufficient to assess whether your organization’s CDE complies with the Requirements. To conduct your assessment, you need to review the Requirements and follow the procedures for assessment.

Requirement 1:  Install and Maintain a Firewall Configuration to Protect Cardholder Data

This Requirement is fairly straightforward and easy to implement.  A firewall should be installed on any network, computer or device that is part of your CDE and contains or accesses cardholder data.  For most small businesses, this means ensuring that your PC’s and network have a firewall.  Most operating systems come with some sort of security package that includes a firewall.  Just make sure that you regularly check to see that the firewall is working, and update it as necessary.  If you don’t have a firewall, look into a commercial firewall, such as Symantec, to install on your computer and protect your network.

Requirement 2:  Do Not Use Vendor Supplied Default Passwords

This Requirement is also fairly straightforward and easy to implement.  The easiest way for a hacker to access your internal network is to try vendor default passwords or default system software settings in your payment card infrastructure.  Far too often, merchants do not change default passwords or settings when hardware or software is deployed.

 Don’t let this happen to you! Change your vendor supplied passwords and system settings immediately.  Follow these Microsoft Tips for Creating a Password when choosing a new password or use this password generator.

Requirement 3:  Protect Stored Cardholder Data

As a general rule, cardholder data should not be stored unless it is absolutely necessary to meet the needs of your business. Sensitive data on the magnetic stripe or chip must never be stored.

If your business stores the primary account number associated with a credit card, it must be made unreadable through encryption or other technological measures. This can get very expensive and risky, so consult with a QSA to ensure compliance with PCI DSS. Best practice, however, is not to store any cardholder data.

Requirement 4: Encrypt Transmission of Cardholder Data across Open Public Networks

Cybercriminals may be able to intercept transmissions of cardholder data over open public networks, so it is essential to prevent their ability to view this data.  Encryption renders transmitted data unreadable by an unauthorized person.

If you accept credit card data on your website, then you should obtain an SSL Certificate.  A SSL certificate ensures than any sensitive data transmitted through your website is encrypted. One place to use a SSL is on a payment page during checkout.  There are plenty of SSL Certificate vendors out there, so choose one that’s reputable.

If credit card data is transmitted over a wireless network, your wireless router should be password-protected and encrypted.  This is fairly easy to do and your wireless router should have instructions about how to password protect and encrypt your router.  Encrypt your  wireless router with the industry standard IEEE 802.11i (WPA2) and not WEP, which is no longer accepted as a security control by PCI DSS.

Requirement 5: Protect systems against malware and regularly update anti-virus software

This is also a no-brainer and easy to do.  Use anti-virus software on all systems, such as PCs and servers, commonly affected by malicious software.  This anti-virus software should be kept current, perform periodic scans, and generate audit logs that need to be retained according to PCI DSS Requirement 10.7.  Make sure that the anti-virus mechanisms are continuously running and cannot be disabled or altered by users.

Requirement 6:  Develop and Maintain Secure Systems and Applications

Security vulnerabilities in systems and applications allow criminals to access cardholder data. Some of these vulnerabilities are eliminated by using PCI approved PIN transaction security devices (i.e. PIN pads and credit card terminals) and PCI validated POS (Point-of-Sale) & payment gateway software.  Check the links above to make sure your current security device is compliant and your current software is validated.  If not, both should be upgraded.  Regularly install all vendor-provided updates, software and security patches to maintain compliance.

Requirement 7: Restrict Access to Cardholder Data

Cardholder data should only be accessed by authorized personnel and not by everyone in your company. Put systems and processes in place to limit access based on need to know and according to job responsibilities. Janitorial staff that cleans your offices should not be permitted to have access to cardholder data!

Requirement 8:  Identify and Authenticate Access to System Components

Assign a unique identification (ID) to each person with access to cardholder data and don’t allow sharing of ID’s. You want to be able to trace all activities relating to cardholder data on your system to known and authorized users. If there is a problem, you will be able to determine and isolate the source in order to prevent additional difficulties. If an employee with authorized access gets terminated, lock out their ID and prevent them for continuing to access cardholder data.

Requirement 9: Restrict Physical Access to Cardholder Data

Any physical access to data or systems that house cardholder data provides an opportunity for a person to access or remove devices, data, systems or hardcopies. To minimize this risk, restrict access to appropriate personnel and develop procedures to ensure that only appropriate personnel have access to cardholder data.

One way to do this is through the use of ID cards that only allow certain employees to have access to certain areas. Visitors should only be allowed access to certain locations, such as the front of a cash register, and not be allowed to view cardholder data. Furthermore, all media containing cardholder data should be locked in a secure location that only authorized personnel can access.

Requirement 10:  Track and Monitor All Access to Network Resources and Cardholder Data

Organizations must also track and monitor all access to cardholder data and related network resources. Logging mechanisms and the ability to track user activity are critical for effective forensics and vulnerability management, and a merchant must ensure the presence of logs that allows thorough tracking and analysis in the event something goes wrong and cardholder data is improperly accessed.

Requirement 11:  Regularly Test Systems

An organization must also have their system scanned for internal and security vulnerabilities by an Approved Scanning Vendors (ASVs).  ASVs are organizations that validate adherence to certain PCI DSS requirements by performing vulnerability scans of merchants and service providers.

Internal and external vulnerability scans are conducted in a similar fashion.  Both scans are automatically administered via a computer program and an Internet connection, but one program usually cannot simultaneously conduct both scans.  An external vulnerability scan looks for holes in your network firewall(s), where malicious outsiders can break in and attack your network.  By contrast, an internal vulnerability scan operates inside your business’s firewall(s) to identify real and potential vulnerabilities inside your business network.  Internal scans may be performed by internal staff, but all external scans must be performed by ASVs for PCI DSS compliance.  Scans must be performed as needed, until passing scans are obtained.

To comply with PCI DSS, your business needs to pass an initial internal and external scan, and then pass 4 consecutive quarterly scans in subsequent years.  As part of these scans, regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.  Talk to your ASV to make sure that they are checking for this and for tips about how to monitor yourself.

Requirement 12:  Maintain a Policy that Addresses Information Security for all Personnel

Your organization must also develop and maintain an information security policy that informs employees of their expected duties related to security.  All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it.  This policy should be reviewed annually and updated when the environment changes.

That’s it for this week.  Thanks for reading and please let me know if you have any questions. Check back next week for the last two steps that need to be taken in the process of complying with PCI DSS.

BYOD, Privacy and Security

Tags: , , , , , Business, BYOD, Privacy, Security 1 comment

It is very common for employers to allow or require employees to bring their own mobile devices, iPads and laptops into work and use the devices for work (“BYOD”).  A recent study reveals that the numbers are staggering:

• 89% of employees mobile devices connect to corporate networks
• 65% of companies allow personal devices to connect to corporate networks;
• 78% of companies note that 2x as many BYODs connect than did 2 years ago;
• 68% of American small businesses already embrace BYOD.

BYOD is obviously popular with businesses and their employees.  But it creates enormous risks and concerns for businesses and employees that can only be properly handled by an effective BYOD Policy.

Business Risks and Concerns

The primary concern of most employers is security and the unauthorized dissemination of confidential business information to third-parties.  Allowing personal mobile devices increases the risk of unauthorized access, disclosure and destruction of business data, as employees can lose their mobile devices that contain confidential information.  Or an employee can download viruses or malware along with the latest app that can than infect the entire corporate network.

A related concern is an increased risk for potential liability from a data breach, particularly those breaches involving access to personally identifiable financial or health information. For example, doctors regularly lose mobile devices, or have them stolen, that contain patient personal health information.   These data breaches cost companies a significant amount of money and can lead to an unwanted and costly government investigation.

To the extent that nonexempt employees use personal mobile devices for work, the employer may also face exposure under the federal Fair Labor Standards Act or similar state statutes for failure to compensate these employees for overtime.  If nonexempt employees use these devices for work-related purposes outside their normal work hours, the employer may be required to pay them overtime compensations.

Employee Privacy Concerns

The use of personal devices for work-related activities offers employees greater convenience, flexibility and other advantages.  Employees are very attached to their personal mobile devices and a recent study shows that nearly 1/3 of employees would rather lose their wallet than their mobile device.  Using personal mobile devices for work raises some serious concerns among employees as work encroaches more and more on their personal life.

Loss of privacy and control over their electronic information are the two biggest concerns employees typically have with BYOD.  With respect to privacy, employees are concerned that employers will inappropriately access or use their personal information, particularly financial and health information, in ways that will harm them at work.  Employees are also concerned about losing control of their electronic information (e.g. photographs, videos, contacts, etc.) when employers attempt to remove or “wipe” business information from the employees’ device, which can be done remotely.  Employees store a lot of irreplaceable pictures, videos and other personal information on mobile devices and don’t want to lose these valuable memories.

BYOD Policy

To deal with these concerns, employers should develop a comprehensive BYOD policy and program that includes regular training and monitoring.  Below are some of the key issues that should be addressed:

Eligibility

Organizations should make clear who in the organization is allowed to use personal devices, whether on an ad hoc basis for a specific purpose or as a permanent replacement for corporate devices.  This can be viewed as a privilege to be earned, a response to employee demand, a requirement for certain types of roles, or a combination of these things.  For example, attorneys at different law firms are now regularly permitted to use their own mobile devices and iPads, but administrative assistants are not.  This is a function of client and partner demands and the need to be available 24 hours a day, 7 days a week.  Administrative assistants do not want or have the same client demands, so they are not permitted to use their mobile devices to access law firm networks.

Allowed Devices/Operating Systems

Organizations should also make a decision about what operating systems will be supported on their BYOD policies.  Two areas that are a real challenge for BYOD policies are the diversity and the frequency of updates for the operating systems on the various devices.  The various choices include Android from Google; iOS from Apple; Windows Phone and Windows Mobile from Microsoft; Blackberry OS from RIM; Symbian from Nokia; and a few others.  What’s worse, some operating systems have multiple versions and the updates to the devices may or may not be automatic from the carrier company or controlled by the enterprise.

These conditions make it very challenging to standardize just a few configurations that you will allow workers to use and support.  However, it is a best practice to set a minimum operating system version threshold for users to bring in their own devices as a baseline requirement to protect corporate data and apps running on them.  This may eliminate some of the older phones that are still in use, but you need to take minimal steps to ensure the security of your corporate network without draining company resources.

Wiping Data off the Device

When a smart phone is lost or stolen, or when a worker is no longer employed by the company, it may be necessary to forcibly wipe data off the employee-owned device.  The manner that this is done is largely a factor of the mobile device management tools that are used.  Some tools allow a selective wipe so that only corporate data is removed while not affecting the personal data.  Other management tools simply wipe the entire device clean.

Make sure that the BYOD policy clearly explains the data wipe method you will be using and get a signed acknowledgment if the employee chooses to use their own device.  Also consider using a user agreement, which will be discussed below.  To the extent feasible, it is better to selectively wipe corporate data and to levee personal data alone.  This will minimize the future risk of an employee lawsuit while still protecting the organization’s confidential information.

User Agreements

Companies should tread lightly when enforcing policies on personally-owned devices that are used for business.  From a legal standpoint, you should have a user agreement, which is a contract between the company and the end user regarding the use of the employee’s personal mobile device in the business environment.  Best practice is to have this contract presented to the employee regularly and have it affirmed periodically, typically once a year.

Key topics that should be considered for a user agreement include:

The Data Wipe Policy – The user agreement should specifically identify when information will be wiped from the device and what types of data will be wiped.

The Photo Policy – The user agreement should specifically identify what employees are not permitted to snap photos of (e.g. sensitive areas of the work environment; products in development; white boards and sensitive info or drawings).

Definition of Company Information – The user agreement should clearly explain what information is considered company information, how it must be handled, and that the organization ultimately owns all company information.

Web Filtering Requirements – Employees are expected to police their own behavior in terms of what shows up on their screens while connected to the corporate network and at work (e.g. no pornographic photos when the device is used in a business context).

Data Breach Trigger Policy – Employees must promptly report the loss or theft of the device and help the company determine if sensitive data is at risk.  The user agreement should specify the time-frame for reporting a lost or stolen device and the procedures regarding locking and wiping the device.

Maintain Certain Security Measures – The user agreement should also specify what security measures the employee should maintain with the device, such as installing certain software, maintaining updates, requiring antivirus protection, and other security measures.  It should also require a strong password to access the device.

Acceptable Use Policy– Additionally, the user agreement should specify how employees handle company information on their personal device and what can be done with this information.  Typically, these policies prohibit employees from downloading company information onto third-party cloud service document storage sites, such as Dropbox or Google Drive.

Monitoring Policy– The user agreement should also inform the employee about what kind of monitoring will be used by the employer with respect to the device and the BYOD policy.  This may include tracking the device’s location, monitoring internet and other activities, key-stroke logging, phone call monitoring, and other types of monitoring.  This is a very sensitive area for employees, so be sure to consult with an attorney to determine the scope of monitoring that is legal in your jurisdiction, explain the policy clearly to employees, AND obtain the employee’s consent.

eDiscovery –The user agreement should also let employees know how e-discovery requests will be handled, should the need arise.  This will be discussed further below.

Cost Sharing/Reimbursement

A primary reason why employers adopt a BYOD policy is to shift costs to employees.  The BYOD policy should clearly identify what costs will be borne by the employee and what costs will be reimbursed.

Some of the questions to ask and answer in connection with the policy are:

• Are individual users entitled to reimbursement?

• If so, for what services and under what conditions (e.g., voice usage, data usage, Wi-Fi hotspot usage, roaming usage, business vs. personal usage, manager approval, etc.)?

• Are any services not eligible for reimbursement (e.g., SMS/MMS, ringtone downloads, 411 calls, any service not explicitly identified as eligible for reimbursement)?

• Are there any caps on reimbursement (e.g., in the form of fixed monthly stipends or maximum-expense limits, independently of charges incurred)?

• Are individual users ever eligible for full or partial reimbursement of device acquisition or replacement costs?

Different companies answer these questions in different ways and there are numerous acceptable BYOD policies.  Choose the one that’s best for your business.

eDiscovery

When an employer is involved in litigation, it needs to know where company information is located, it’s content, and needs to review it in order to determine whether to ultimately produce it.

Electronically stored information, or ESI, is subject to discovery, which means it can be requested as evidence in a court case.  ESI is a category of discoverable information separate from print documents, and includes both structured and unstructured data such as emails, instant message logs, Word documents, Power point presentations, and other types.

In litigation, eDiscovery is the process of identifying, collecting, preserving, reviewing and producing relevant electronic data or documents.  Determining which ESI is relevant is complicated and expensive due to the vast quantities of electronic information, and the difficulty in obtaining it and reviewing it to determine what information is relevant and to not produce privileged or confidential information.

BYOD and mobile devices present four challenges to eDiscovery:

• The company does not own or physically control the devices;

• There are a wide variety of potential data types to consider;

• The data can potentially reside in multiple locations;

• Safeguarding and retrieving the data can be difficult.

If you have a BYOD policy, or are considering implementing one, consider the following best practices to ensure that it is eDiscovery friendly:

• Mandate that employee devices be configured to save information directly to the company servers.

• Sync data between employee devices and company servers regularly.

• Ensure that your BYOD policy is forthright and outlines the exact process for eDiscovery, including a clear chain of custody.

• Consider purchasing and implementing one of the many applications capable of separating business data and personal data, making it especially easy for employers to locate discoverable data.

By taking these steps, you will minimize the costs associated with eDiscovery in case you are ever involved in litigation.

Termination of Employment Relationship

As part of your BYOD policy, you should outline the process for what happens when the employment relationship is terminated.  In most cases, a company wants to remove its data from an employee’s personal device when he or she leaves.  To accomplish this, the organization may require the employee to submit the device to the IT department, wipe it remotely, or simply tell the employee to delete the data.  Choose what policy and procedures work best for your organization.  Also make sure that employees are disconnected from the corporate network and are no longer able to access it after the employment relationship is ended.

That’s it for this week. Let me know if you have any questions about BYOD or if your BYOD policies contain some interesting provisions. Have a Happy Holiday!

Mobile Apps, Children’s Privacy and COPPA

Tags: , , , , , , Apps, COPPA, Preparation, Privacy 1 comment

It was recently reported that mobile apps are still collecting lots of personal information about children and still may not be complying with the Children’s Online Privacy Protection Act, 15 USC 91 §6501-6506 or the Federal Trade Commission’s (“FTC’s”) Final Amended COPPA Rule (collectively, “COPPA”).  See also FTC, “Complying with COPPA: Frequently Asked Questions”, July 16, 2014.  App developers need to make sure their apps comply with COPPA, as the FTC is actively cracking down and there is an increased risk of a class action lawsuit based on a COPPA violation.

COMPLIANCE WITH COPPA

The primary goal of COPPA is to place parents in control over what information is collected from kids under the age of 13 (“Children”) online, while accounting for the dynamic nature of the Internet.  To comply with COPPA, an app developer should follow these steps:   See FTC, Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for your Business

1.  Determine if COPPA Applies to Your App or Website

COPPA only applies to the following:

• Operators of commercial websites or online services that are directed to Children and collect, use, or disclose Children’s’ personal information;

• Operators of general audience websites or online services with actual knowledge that they are collecting, using or disclosing personal information from Children.

• Operators of websites or online services with actual knowledge that they are collecting, using or disclosing personal information directly from users of another website or online service directed to Children.

Several key terms need a little more explanation to appreciate the scope of COPPA:

Website or Online service:  This term is defined broadly by COPPA. Aside from websites, the following are potentially within COPPA’s scope:

o Mobile apps that send or receive information online,

o Internet-enabled gaming platforms,

o Plug-ins,

o Advertising networks,

o Internet-enabled location-based services, and

o Voice-over internet protocol services

Personal Information: The definition of personal information under COPPA is shockingly broad and includes any one of the following categories of information (“Personal Information”):

o First and Last Name;

o A home or physical address including street name of a city or town;

o Online contact information;

o A screen or user name that functions as online contact information;

o A telephone number;

o A social security number;

o A persistent identifier that is used to recognize a user over time and across different websites or online services;

o A photograph, video, or audio file that contains a child’s image or voice;

o Geolocation information sufficient to identify the street name and city or town name; or

o Information concerning the child or child’s parents that the operator collects online and combines with an identifier above.

Directed at Children: The FTC looks at a variety of factors to determine if an app is directed at Children :

o the subject matter of the site or service,

o audio/visual content,

o the use of animated characters,

o child-oriented activities and incentives,

o the age of models,

o the presence of child celebrities,

o ads directed to children, and

o Other reliable evidence about the age of the actual or intended audience.

Collect: Under COPPA, an app collects Personal Information if it does one of the following:

o Requests, prompts, or encourages the submission of information, even if it’s optional;

o Lets Personal Information be made publicly available (such as in a public chat), unless you take reasonable efforts to delete virtually all Personal   Information before postings are made public AND delete all information from your records; or

o Passively tracks a child online.

If your app or website is covered by COPPA , move on to step 2. Congratulations if you think it is not covered! But I suggest you talk with an attorney to confirm that COPPA does not apply your app. You do not want to be wrong here!

2.  Post a COPPA Compliant Privacy Policy

If covered by COPPA, your app must post a post a privacy policy that clearly and comprehensively describes how Personal Information is collected from Children and how it is handled. To complicate matters, the privacy policy must describe your policies AND the practices of any third parties collecting Personal Information on your service, such as plug-ins or ad networks.

To comply with COPPA, your privacy policy should be clear, easy to read, and include the following information:

A List of All Operators Collecting Personal Information:  Your policy should identify each operator that collects or maintains a child’s Personal Information through your app.  Include a name and contact information (address, telephone number, and email address) for each operator.  If more than one operator collects Personal Information, it is acceptable to only provide contact information for one operator, so long as the selected operator will respond to inquiries about your app’s practices with respect to the other operators.  The other operators still need to be identified in your privacy policy.

A Description of the Personal Information Collected and How It’s Used:  Your privacy policy must describe the following:

o Types of Personal Information collected from Children;

o Ways that the Personal Information is collected (direct or indirectly through cookies);

o How Personal Information will be used (i.e. marketing, notifying contest winners, incentives, or allowing children to post information);

o Whether app discloses Personal Information to third parties, such as ad networks, and how the third parties use the information.

Description of Parental Rights:  Your app’s privacy policy must tell parents that:

o Your app won’t require a child to disclose more Personal Information than reasonably necessary to participate in the app’s activity;

o They have the right to review the child’s Personal Information, can direct you to delete it, and refuse to allow any further collection or use of the child’s Personal Information;

o They can agree your app’s collection and use of their child’s Personal Information, but still forbid disclosure to third parties unless that’s part of the service (such as social networking); and

o The procedures that a parent must follow to exercise their rights.

Make sure that your privacy policies accurately describes your app’s practices and that you follow through on all promises made. Nothing will generate an FTC enforcement action quicker than a privacy policy that misrepresents the practices of the app.

3.  Notify Parents Directly Before Collecting Personal Information from Children

COPPA requires that your app provides parents with “direct notice” before collecting Personal Information their child. The notice should be clear, easy to read and should tell parents:

• Your app collected their online contact information for the purpose of getting their consent;

• Your app wants to collect Personal Information from their child;

• The parent’s consent is required for the collection, use, and disclosure of the child’s Personal Information;

• The specific Personal Information your app wants to collect and how it might be disclosed to others;

• A link to your online privacy policy;

• How the parent can give their consent; and

• If the parent does not consent within a reasonable time, you will delete the parent’s online contact information from your records and their child will not be able to use the app.

4.  Get Parent’s Verifiable Consent Before Collecting Information

Your app must also obtain parent’s verifiable consent before collecting Personal Information about the child.  COPPA does not specify how to obtain verifiable consent, but it is critical to use a method that is reasonably designed in light of available technology to ensure that the person giving the consent is the child’s parent.

Acceptable methods of obtaining verifiable consent include:

• Provide a consent form to be signed by the parent via U.S. mail, fax or electronically;

• Require the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;

• Have the parent call a toll-free number staffed by trained personnel, or have the parent connect to trained personnel via video-conference;

• Verify the parent’s identity by checking a form of government-issued identification (such as driver’s license or passport) against databases of such information. Make sure to delete the parent’s identification info after completing the verification;

• Use the “email plus” method if you are only going to use Children’s Personal Information for internal purposes and will not be disclosing to any third party;

• Use a common consent mechanism between multiple app developers who use the same system of obtaining verifiable consent;

• Rely on an app store to gain parental consent on you app’s behalf. Note that entry of parent’s app store account number or password is not sufficient. The account number and password needs to be used with other indicia of reliability to show that it is the parent giving the consent. Also, your app still needs to meet COPPA’s other requirements (such as the direct notice requirement);

• You can also apply to the FTC for pre-approval of a new method.  The FTC had already accepted some proposed new methods of verifiable consent and is regularly evaluating new ones.

There are certain circumstances under COPPA where your app can collect and use a narrow class of Personal Information without obtaining parental consent.  Check out the FTC’s website for a helpful chart of these limited exceptions.

5.  Respect Parents’ Ongoing Rights

Make sure to respect parent’s ongoing rights with respect to their child’s Personal Information.  If a parent asks, you must:

• Give the parent a way to review the Personal Information collected about the child;

• Give the parent a way to retract their consent and refuse the further use or collection of Personal Information about the child; and

• Delete the child’s Personal Information.

Note that you must walk a fine line before disclosing Personal Information about a child.  Take reasonable steps to ensure that you are dealing with a child’s parent and not some stranger. But do not make these steps so onerous that the real parent can’t find out what Personal Information your app is collecting about the child.

6.  Implement Reasonable Safeguards for Children’s’ Personal Information

COPPA requires you to establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of Children’s Personal Information.  The first step is to limit the Personal Information collected and only collect what is absolutely necessary for your app’s services.  Then take reasonable steps to only release Children’s Personal Information to third parties capable of maintaining its confidentiality, security and integrity.  Obtain contractual assurances that the third parties will live up to those responsibilities.  Finally, only retain the Children’s Personal Information as long as reasonably necessary, and securely dispose of as soon as you no longer have a legitimate reason for retaining it.

7. Investigate Participating in a COPPA Safe Harbor Program

As an app developer, one alternative worth investigating are FTC approved COPPA Safe Harbor Programs.  COPPA Safe Harbor programs are self-regulatory guidelines developed by various industry groups that have been approved by the FTC for complying with COPPA.

You can obtain two benefits by participating in one of these programs.  First, your app will be deemed compliant with COPPA so long as it follows the program’s guidelines.  Second, your app will be subject to the review and disciplinary procedures outlined in the program’s guidelines instead of a formal FTC investigation and enforcement.  Both are worthwhile, so you should consider participating in one of these programs.

ENFORCEMENT OF COPPA

COPPA is usually enforced by the FTC, although some state attorney generals have brought COPPA enforcement actions in the past. New Jersey, in particular, has brought and settled at least two COPPA enforcement actions against app developers.

The FTC has recently warned that mobile apps will be an enforcement priority under COPPA, and has already announced two settlements with mobile app developers:

1. Yelp:  Yelp, the online review website and app, paid $450,000 to settle charges that it violated COPPA by collecting Children’s Personal Information without sufficient parental notice or consent.  Yelp allegedly employed an age-screening mechanism that required a birth-date in order to register for its app, but thousands of Children were allowed to register, without notice or parental consent, after providing birth-dates that showed they were under 13.

2. TinyCo:  TinyCo, the developer of Tiny Pet and other apps, paid $300,000 to settle charges that it violated COPPA by collecting Children’s email addresses without sufficient notice and parental consent.   The email addresses were allegedly collected in exchange for free in-app currency.

In light of the FTC’s warnings, more enforcement actions against app developers are likely and the costs can be significant. In addition to the investigatory costs and the hit to your reputation, violators of COPPA can be penalized up to $16,000 per violation. That’s not chump change!

There is also a heightened risk of a class action lawsuit suit for failure to comply with COPPA.  Usually, COPPA violations are considered unlikely contenders for class action lawsuits because COPPA does not provide a private cause of action.  Without a cause of action, an individual or class cannot allege a COPPA violation as the basis for a complaint a damages.  This calculation may have changed in light of a recent Connecticut Supreme Court case:  Byrne v. Avery Center for Obstetrics and Gynecology, No. 18904, (Conn. Nov. 11, 2014).

In Byrne, the Court found that the Health Insurance and Portability and Accountability Act of 1996 (“HIPAA”) and the regulations of the Department of Health and Human Services (“HHS”) can “inform” the standard of care for a common law negligence action.  In this case, Emily Byrne received medical care from the Avery Center (“Center”), while in a personal relationship with Andro Mendoza. Mendoza filed a paternity suit and the court issued a subpoena to the Center to appear with Byrne’s medical records.  Byrne did not want the Center to release her medical records.  But, the Center mailed a copy of the medical forms to the court.  Byrne claimed that the disclosure of the medical forms was not done in accordance with HIPPA and that she should have been notified of the subpoena.

As a result of the disclosure, Byrne filed suit for breach of contract, negligently releasing her medical file without authorization, negligent misrepresentation of the Center’s privacy policy, and negligent infliction of emotional distress.  After a motion for summary judgment, the trial court dismissed part of Byrne’s complaint and found that Byrne’s common law negligence and infliction of emotional distress claims were preempted by HIPAA, which does not provide a private cause of action.  The Connecticut Supreme Court reversed and concluded that “to the extent it has become the common practice for . . . follow the procedures required under HIPAA in rendering services to their patients, HIPAA and its implementing regulations may be utilized to inform the standard of care applicable to such claims arising from allegations of negligence in the disclosure of patients’ medical records pursuant to a subpoena.”

This decision is significant in several respects.  For app developers, the most important consequence is that it provides a road map for a potential plaintiff about how to sue for a violation of COPPA.  The plaintiff would need to plead a common law negligence claim related to the violation and argue that COPPA and the FTC regulations inform the duty of care applicable to these actions.  Alternatively, the plaintiff could argue that the COPPA violation is an unfair and deceptive trade practice under the state’s consumer protection.

It is still unclear whether these strategies will work or whether these strategies are preempted by COPPA.  I will postpone this discussion for another blog post.  But if app developers continue to ignore COPPA, plaintiffs and their attorneys may start actively pursuing these cases.  There is too much money potentially at stake.  Stay tuned for further developments.

Thanks for reading.

Eight Steps to Reduce the Risk of Identity Theft

Consumer, Identity Theft, Prevention No comments

I spent the last couple of weeks talking about steps a business can take to secure the personal information collected from consumers and how to prepare for the inevitable data breach. Businesses are only part of the risk, however, and consumers should take some steps to reduce their risk of identity theft:

1. Protect Social Security Number (“SSN”)

Your SSN is one of the most critical pieces of personal information that needs to be protected and it is the primary target of criminals.  With it, an identify thief can open fraudulent accounts in your name, charge unlimited amounts to these accounts, and create a false identity in multiple locations. At a minimum, you should take the following steps to protect your SSN:

• Only release your SSN when absolutely necessary such as for tax forms, employment records, financial accounts, and property transactions. If a business requests your SSN, ask why it’s necessary and whether a different identification method can be used.  Ask to see the company’s written policy on SSN’s and find out what the business will do with your SSN and the consequences if you refuse to provide it.  Most businesses are now aware of the sensitivity of this number, and few ask for it any longer.  If necessary, threaten to take you business elsewhere if the business won’t let you use a different form of identification.

• Do not carry your SSN in your wallet, except for situations when it is required, such as the first day on the job or when opening a financial account.

• Memorize your SSN and keep it in a safe place in your home.

• Do not provide you SSN over the phone unless it is to a trusted source.  Try not to say your SSN out loud when in a public place.  If you need to provide it to a merchant or health care provider, try to speak softly and make sure no one is listening.

2. Monitor Account Statements

Regularly monitor the following account statements for unusual activity and unauthorized transactions: bank, credit card, phone, cell phone, loyalty cards, investments, and other financial accounts.  These types of accounts have been targeted by criminals in the past and are at risk for attacks in the future.  Through regular monitoring, you can hopefully identify unusual activity quickly before too much damage is done.  Report any suspicious to the appropriate account provider.

3. Clean out Your Wallet/Purse

Clean out your wallet or purse of all unused credit cards. Cancel these credit cards or put them in a safe place for emergencies.  Take this opportunity to safely dispose of old receipts, bank withdrawal slips, and any other document that might have sensitive personal information.  Proper disposal methods are discussed below at Step 8.

4. Order your Free Annual Credit Report

Federal law gives you the right to one free credit report from each of the three major credit bureaus: Equifax, Experian and TransUnion.  For maximum security, stagger these requests by asking for a free credit report every 4 months from a different credit bureau.  Your free credit report can be ordered in any one of the following ways:

Phone: (877) 322-8228
Internet: www.annualcreditreport.com
Mail: Print out the order form here: http://www.consumer.ftc.gov/articles/pdf-0093-annual-report-request-form.pdf.

There are many websites that offer a “free credit report” but these are often an attempt to get you to sign up for some other service.  Unless you need the service, do not waste your time or money.

When reviewing your credit report, look for the tell-tale signs of fraudulent activity: inquiries not generated by you and new credit accounts that you did not open. If you identify suspicious activity then you should follow the steps outlined here: https://www.annualcreditreport.com/protectYourIdentity.action
These steps include placing an initial fraud alert on your credit file, contacting the security or fraud department of each company where the account was opened, file a report with law enforcement officials, and others.

5. Protect your Internet Devices

Any time you connect to the internet through a computer, laptop, or mobile device (“Internet Devices”), you run the risk of downloading a virus, malware, or having your activity monitored by a hacker.  To better protect yourself take these steps on all of your Internet Devices:

Use a Firewall:  A firewall blocks unauthorized access to your Internet Devices while allowing you to access to the Internet.  Make sure that your Internet Devices have a firewall installed and activated.

Use an Antivirus Program: Antivirus programs help you prevent, detect and remove viruses, Trojan horses, and other malware. Install and regularly update anti-virus programs on all Internet Devices.

Use spyware blocking software: Spyware is a program that secretly collects info about you and can make your computer engage in unwanted activities. If not included with your Antivirus program, install and regularly update spyware blocking software on all Internet Devices.

Install Updates: It is important to regularly install updates and patches on all of the programs, apps and operating systems on your Internet Devices. Many updates solve critical security flaws that can be taken advantage of by cyber criminals if not repaired.  If available, set up automatic updates so that you don’t forget.

Use Strong Passwords: Create strong unique passwords to access each of your Internet Devices.  At a minimum your password should be at least 8 characters and include upper and lowercase letters, numbers and non-alphabetic characters (!, #, %, &, $, etc.). See Microsoft Tips for Creating a Strong Password.  Do not use dictionary words or personal information for your passwords, and use a different password for each device and account.  Change your password every 3-4 months.

Also, if your Internet Device support it, you should consider using two-factor authentication.  Two-factor authentication involves using a password + something else to identify you such as a USB stick, fingerprint, mobile phone, or key.  This is much more secure way to secure an Internet Device than regular passwords and is likely the wave of the future.

Encryption: Encryption is the process of scrambling and encoding information in such a way that the information can only be properly viewed and understood with a key (or password).  Several encryption programs are readily available for a reasonable prices.  Also, File level and whole disk encryption is now also available by default on some versions of Microsoft Windows, OS X, and new iPhones and Google Android devices.  Before encrypting anything, make sure you understand the process completely and store the key in a separate safe location.  It would be a shame to encrypt a device or file and not be able to access it in the future!

Avoid Public Wi-Fi Hotspots: Public Wi-Fi hotspots in coffee shops, libraries, trains, and other locations are convenient but usually not secure. Many don’t require a password to use and anything you send can be viewed by others on the network.  Avoid using Public Wi-Fi when accessing any private online account information.

If you need to use Public Wi-Fi to access online accounts, there are protections you can put in place to secure your information.  See OnGuard Online.gov Tips for Using Public Wi-Fi Networks.  The most versatile and convenient way is to use a virtual private network (VPN).  VPNs encrypt traffic between Internet Devices and the internet, even on an insecure network.  VPN accounts can be obtained from a VPN service provider, such as Private Internet Access, TorGuard, and many others.  These services can be used with most types of Internet Devices.

6. Secure your Home Network

Most of us now run Internet Devices and connect to the Internet through wireless home networks and a wireless router.  These routers allow multiple Internet devices and users to access the internet from different parts of your home.  Unless you secure your router, however, you’re vulnerable to other people accessing your network, using your bandwidth, gaining access to all of the Internet Devices on the network, or using your network to commit cyber crimes. Several steps can be taken to protect your home network, although these steps require you accessing your router over the internet.  This is easily done and there are plenty of guides on the internet that will help. See e.g., http://compnetworking.about.com/od/wifihomenetworking/ht/access-routers.htm.  After accessing your wireless router, do the following to make you router more secure:

Change Default Name on Router:  Your wireless router comes with a default SSID name that is assigned by the manufacturer.  The default SSID is usually named “default” or is set as the brand name of the router (e.g. Linksys). The name should be changed to a name that is unique to you and won’t be easily guessed by others.  That way, you will always be sure that you and your guests are always connecting to the correct Wireless network, even if there are multiple networks in the area.  Important Tip: Don’t use your name, home address, or other personal information in the SSID name.  Choose something you can remember, but others will not connect to you.

Change Default Username and Password:  Your wireless router also comes with a default username and password (often admin/password).  These defaults are not secure!  There is a publicly available database of default usernames and passwords for every wireless router manufacturer that can be accessed by anyone, including criminals. Follow the guidelines from No. 5 in order to create a more secure password for your router.  Make sure to memorize this password and put it in a safe place.  Otherwise, you will be locked out of your router, which is never a good thing!

Upgrade Router’s Firmware:  You should regularly check the router manufacturers’ website to make sure the router is running the latest firmware.  Like every other piece of software and hardware, these usually need to be updated.  Upgrade and update as needed.

Enable Network Encryption:  To prevent unwanted computers from using your internet connection, encrypt your wireless signals.  There are several encryption methods for wireless settings such as WEP, WPA, and WPA-2.  If you don’t see WPA-2 as an encryption option for your router, upgrade the firmware or buy a new wireless router as your current one is too old to support an upgrade to WPA-2.

Follow the guidelines from No.5 in order to create a secure password for encrypting you network.  Do not use the same password as your router password.  You want different and unique passwords for each purpose

Filter Networking Access by MAC Addresses: Media Access Control addresses (“MAC Addresses) are unique ID’s assigned to every Internet Device.  For an added layer of protection, you can add the MAC addresses of your Internet Devices to your router settings so that only those devices can access your network.  This is a solid way to increase security, but not foolproof. Somebody can still sniff out your Wi-Fi traffic and then spoof the MAC addresses of their device to match one on your network.  Filtering by MAC addresses can also be a hassle when guests come over and want to use your network.  To let them, you have to log into your router and add their MAC address or temporarily turn off MAC filtering. So I leave it up to you whether you think this extra step is necessary.

7. Watch out for phishing scams

Phishing scams are an attempt to acquire your personal information by sending an email that purports to be from a trusted source.  For example, you might receive an email that appears to come from your bank that says “We suspect an unauthorized transaction on your account.  To ensure that your account is not compromised, please click the link below to confirm your identity.”  If you click on the link, you will either download a virus/malware that captures your passwords or be taken to a spoofed website that resembles your banks website and gets you to divulge your private information.

To protect yourself from phishing scams, follow these suggestions:

• Be suspicious of any email or communication (including text messages, social media posts, phone calls, ads) with urgent requests for personal financial information.

• Avoid clicking on links. Instead go to the website by typing the web address directly into your browser or by searching for it in a search engine. When in doubt, independently verify the alleged problem with the trusted source by calling them at a phone number you know is accurate.

• Don’t send personal information such as passwords, account info, financial info, medical info or other sensitive information by email. Only provide personal or financial information through an organization’s website if you typed in the web address yourself and you can see that the website is secure.

• Use a secure website (indicated by a https:// and a security “lock” icon) when submitting credit card or other sensitive info online. Never use unsecured Wi-Fi for banking, shopping or entering personal information, even if the website is secure.

If you suspect that you have received a phishing e-mail, forward the email to spam@uce.gov and to the company, bank or organization named in the email. You can also report it to reportphishing@anti-phishing.org.  This Anti-Phishing working Group is a group of internet service providers, security vendors, financial institutions, and law enforcement that uses these reports to fight phishing.

8.  Safe Disposal

This step is often overlooked, but is critical.  When you decide to get rid of old computers, mobile devices, or papers that contain personal information, make sure that the personal information is permanently destroyed.  Crooks will dumpster dive or buy used computers to look for sensitive personal information.

There are different methods for permanently destroying personal information, depending on where the information was stored:

Papers: Papers should be shredded or incinerated. When shredding, use a cross-cut shredder rather than a strip-cut shredder.  Pieces from a strip-cut shredder can still potentially be put back together, whereas it’s nearly impossible to do so from a cross-cut shredder.

Computers/Laptops: Before disposing of a computer or laptop, you need to get rid of all the personal information that is stored on the hard-drive. Deleting is not sufficient and you will need specialized software to wipe the hard drive clean.  The other alternative is to physically destroy the hard drive.

After wiping or destroying the hard drive, take the device to one of the electronics recycling centers identified on the Massachusetts Office of Energy and Environmental Affairs website.  Many of these centers are national and not just restricted to Massachusetts.

Mobile Devices: Mobile devices store a lot of personal information like addresses, phone numbers, passwords, etc. and you want to make sure that this is done properly.  Review your owner’s manual owners or check the website of your mobile provider for detailed information about what you need to do to wipe these devices clean.  You can also check out these helpful tips from the FTC about how to dispose of your mobile device. After the device is wiped clean, dispose of the mobile device in the same fashion as with computers.

The Cloud: Unfortunately, there is no way for you to control how your information is destroyed from the hard drives of your cloud provider. Contact your cloud provider and ask them about their data destruction policies.

Portable Storage Devices: Flash drives should be wiped clean or destroyed in the same way as computers.  CDs and DVDs can be physically destroyed by breaking into many pieces.  If you still have floppy disks or tapes, cut into smaller pieces.

That’s it for this week.  Hopefully you find these steps useful for protecting yourself from identity theft. Thanks for reading.  Please let me know if you have any questions or want to talk about steps that you have taken to protect yourself from identity theft.

How to Prepare for A Data Breach (Part 2)

Tags: , , Business, Data Breach, Preparation, Small Business, Uncategorized 1 comment

In addition to the steps discussed last week, a business should take the following steps to prepare for a data breach:

Step 5: Arrange Possible Remedies for Customers

A recent study shows that 25% of individuals notified of a data breach go on to suffer identity theft.  To combat this, most companies now offer – and consumers expect – some form of credit monitoring services for affected individuals.

Credit monitoring services are directed at fraud in connection with new financial accounts.  This fraud occurs when a criminal uses a victim’s personal information to open a new credit card or other financial account.  Credit monitoring does not prevent the opening of new accounts, but notifies an individual when a new account is opened, so that the individual can determine whether it is fraudulent.

Although credit monitoring service is nice, it is not that effective at actually preventing identity theft and is often a waste of money.  See Brian Krebs “Are Credit Monitoring Services Worth It?”  Notably, there are at least five types of identity theft fraud not covered by credit monitoring services:

Existing account fraud:  Occurs when a criminal uses an individual’s current financial account, such as a credit card account or bank account, to make a purchase from a vendor or withdraw money from the individual’s bank account.

Social Security number and tax refund fraud:  Occurs when a criminal uses an individual’s SSN to obtain employment, for tax reporting purposes, or for other illegal transactions.  Tax refund fraud is a rapidly growing problem and the IRS is attempting to combat it.

Criminal identity theft:  Occurs when an imposter provides another person’s name and personal information to a police officer during an arrest.  The imposter often fraudulently obtained a driver’s license in the victim’s name and provides the identification document to law enforcement.

Medical Identity Theft:  Occurs when a crook uses an individual’s name and/or other information, such as insurance information, to obtain or make false claims for medical goods or services.  Medical identity theft may result in false entries being entered into a medical record, or the creation of fictitious records in the victim’s name.

See Privacy Rights Clearinghouse, Fact Sheet 33: Identity Theft Monitoring Services.

To try and combat some of these other types of identity theft, many vendors now offer expanded identity theft monitoring services that provide additional monitoring services, such as monitoring commercial and public databases and online chat rooms.  These services vary widely, so you’ll need to investigate carefully to determine what service is best for your customers in the event of a data breach.  The Consumer Federation of America provides some helpful guidance about selecting an identity theft service provider and some assessments of the services offered.  See Consumer Federation of America: Best Practices for Identity Theft Services: How Are Services Measuring Up? Things may have changed since 2012, so make sure to update the information and look for additional identity theft monitoring service providers.

By looking into remedies now, you will be able to evaluate and assess the complete range of available remedies, and select the one that makes the most sense for your customers and business in the event of a data breach. You may also be able negotiate the best price and gain service concessions. None of this could be done in the middle of a data breach crisis.

Step 6: Draft Incidence Response Plan

You can now be begin drafting your Incident Response plan (the “Plan”). As a word of warning, this document can get very long and detailed, depending on the size and complexity of your organization. There are a lot of available on-line guides that can give provide guidance, such as the guides at the SANS Information Security Resources, However, to ensure the Plan is done properly, you may want to consult with a privacy and data security attorney or some other third-party vendor.

The basic elements to include in the Plan are:

Overview:  The Plan should have an overview section that outlines the goals, scope, purpose and assumptions of the Plan.

Roles and Responsibilities of Incident Response Team members:  The Plan should identify each incident response team (the “Team”) member, their contact information, and his/her role or responsibility.  It is better to have this information in writing so each Team member knows exactly what he/she is responsible for when a data breach occurs.  This information should be continuously updated, especially if one member leaves the organization.

Incident Definition and Classification:  The Plan should create an event classification system that defines what constitutes an incident, when an incident is serious, and the specific types of incidents that will set the plan in motion.  For example, port scans are not usually particularly serious, and it is doubtful that these events will set the Plan in motion. But a web security breach or a malware infection should warrant a more urgent response and the Team may need to be notified and the Plan set in motion.

Notification:  The Plan should identify the specific triggers to notify and procedures to follow when notifying the following:  the Team, insurers, law enforcement, outside attorneys, third-parties and customers.  Depending on the type and severity of the event, these groups will be notified at different times, and there will be specific procedures that need to be followed.  Include all statutory and contract breach notification requirements in the Plan.  Also include all insurance notification requirements.  If you choose to use a third-party vendor to notify customers, include all relevant contact information and details of any negotiated deal in the Plan.

Current Network Infrastructure & Payment Processing Systems:  The Plan should also identify, diagram, and include all supporting documentation regarding your organization’s web system architectures, network infrastructure, information flows, payment processing systems, and any other applicable system that contains or processes sensitive personal information.

Existing Security Safeguards:  The Plan should identify all currently operating safeguards that can assist with detection and prevention, including an intrusion-prevention system (IPS), firewall, web-application firewall (WAF), and endpoint security controls for the web, applications, and database servers.

Detection, Investigation and Containment:  The Plan should outline the procedures for detecting, investigating and containing the incident.  Keep in mind that these procedures should vary by the type of incident, the system involved, and may involve contacting third-parties such as law enforcement and forensic investigators.  Identify the circumstances when these third-parties will be brought in and include all potentially relevant information in the Plan.

Customer Remedies:  If your organization chooses to offer remedies to customers, such as identity protection service, then your Plan should identify the specific circumstances when the remedies will be offered. It should include the contact information of the third-party service provider and the terms of any deal that was negotiated.

Eradication, Cleanup and Recovery:   The Plan should also contain the procedures to follow to get the infected system back up and running.  The cleanup will vary depending on the type of system and the type of attack, but you want policies and procedures in place about how to handle it.  In order to preserve other parts of your IT system, you also want to have procedures about the steps to take before putting the infected system back into production.

Post-Incident Review and Follow-up:  Your Plan needs to include the date for a mandatory follow-up meeting with the Team in order to learn from the incident.  The purpose is to process all of the information that was learned from the incident and figure out if your security posture needs modification to prevent future attacks.  There are likely several questions that will need to be addressed, but try to avoid spending the meeting finding someone to blame. It will be a waste of time and energy and will not improve the security of your organization.

Step 7: Employee Awareness and Readiness Training

As part of your organization’s privacy program, your employees are probably already trained on privacy fundamentals like data collection, retention, use and disclosure.  Your organization should also train every employee about basic breach response procedures and protocols, like what constitutes a data breach and whom to call if a data breach is suspected.  You should also require third-party vendors to do the same.  Team members should receive regular in-depth training about how to investigate a data breach, report findings, and communicate with media and regulatory authorities.  Any completion of required training should be documented and reported to management for internal policy compliance.

Step 8: Crisis Simulation & Revision

It is important to know how your organization will fare during a breach crisis and identify and correct any gaps.  The best way to assess your organization is by running two types of breach crisis simulations: a table-top exercise and a “live” simulation.

A tabletop exercise is a simple way to practice executing your Plan without the expense or interruption of a full scale drill.  In a tabletop exercise, Team members talk through a breach crisis scenario in a “war room” type of setting.  These exercises should involve everyone on the Team so that every member has an opportunity to think through their role during a breach event.

“Live” simulations are more elaborate and tend to mimic real-world conditions more closely than tabletop exercises.  “Live” simulations are usually impromptu events that can occur at any time, including the evening or a holiday, like a real breach.  The most effective simulations involve breach response vendors that your organization has contracted with, as well as your internal Team.  In a “live” simulation, systems are actually compromised and even social media uproars can be created. Talk with your service providers to develop simulation exercise that includes everyone.

After conducting simulations, evaluate the effectiveness of your Plan to identify any gaps in your organization’s response.  Revise your Plan to fill these gaps and ensure that your organization improves.

If you follow all eight of these steps, your organization will be better prepared for the inevitable data breach.  Thanks for reading.  Please let me know if you have any questions or wish to offer suggestions based on your experience.

How to Prepare for a Data Breach (Part I)

Tags: , , Business, Data Breach, Preparation 1 comment

In the last blog post, I discussed ways that a business can try to prevent a data breach. The sad and unfortunate reality, however, is that no matter what you do, most privacy and security experts agree that your business is going to suffer a data breach.  See J.F Rice, “Are Breaches Inevitable?” Computerworld, Sept. 3, 2014. The Ponemon Institute, a leading research center, puts the probability of suffering a material data breach of more than 10,000 records in the next two years at 19%.  See Ponemon Institute, 2014 Cost of Data Breach at 1-3.

So what should a business do? Start planning NOW for a data breach by creating an Incident Response Plan that your organization will follow in the event of a data breach.  Doing so can reduce the cost of a data breach by, on average, $18 per record. Id. There are eight steps involved in preparing for a data breach and creating and implementing an adequate Incident Response Plan. The first four steps on how to prepare for a data breach will be discussed today, and the next four steps will be discussed next week.

Step 1: Assemble an Internal Incidence Response Team

Data breaches are multi-faceted events that require coordinated strategies and responses across the organization. To deal with one, you need an incidence response team with representatives from all of your company’s functional groups.  At the very least, your incidence response team should include representatives from the following groups who are available 24/7 in the event of an after-hours emergency:

Executive Management: Ideally, your team should have a management level executive with broad decision-making authority to insure that the breach management process moves quickly. A quick response time and effective implementation are critical factors when trying to minimize the financial and reputational harm that can occur from a data breach.

If an upper management executive can’t be spared, some companies appoint a lead on the incident response team with delegated authority to take certain actions and make certain decisions. This approach is a great alternative, but it will be inefficient when an action exceeds the lead’s delegated authority and requires approval from the executive management team. But this inefficiency will have to be tolerated in the absence of an upper level executive.

IT and Security: IT and security team member play a critical role by identifying the problem with your computer system as they are the most familiar with the network systems and security controls in your organization. Usually, however, the internal IT and security team does not conduct the forensic investigation that is needed to track down the breach and how it occurred.  Instead, you will need an outside forensic group that possesses specialized skills and training to perform digital forensic identification and mitigation of the breach. Your internal team will be the liaison with this outside forensic group and work with them to explain your network and its security controls.  Don’t try to cut down costs by avoiding the outside forensic group.  Although your internal IT staff might be outstanding, it will cost you more time and money over the long run by having them try to identify the breach. Remember that time is critical and you want to identify the problem and fix it as soon as possible. Better to use reputable forensic specialists for this task.

Legal and Compliance: You need someone from legal and/or compliance to identify the notification, legal and regulatory requirements of the breach response. This includes determining if there is an obligation by law or contact to notify internal organization clients or business partners of the breach and what the content of the notice should be. Breach notification requirements vary by state and contract, so you will need someone from legal and/or compliance to make sure you fulfill your legal obligations with respect to the data breach. This will be discussed more fully below at Step 4. If your organization does not have a legal department, hire an outside attorney who specializes in privacy and data security to help you understand your notification obligations in the event of a data breach.

Public Relations/Communications: You should also have someone who is responsible for disseminating information about the breach to your internal organization and coordinating the response to external public. With respect to the internal organization, your internal communications team will make sure that all your employees have talking points about the breach if they are approached.  For external communications to the public, you should hire a PR firm that specializes in crisis communication, and have this PR firm take directions and work closely with your internal communications team to coordinate the response.  Don’t skimp by trying to have your internal communications team handle the media and public communications. Your reputation and business could be irreparably harmed if public communications are done poorly or improperly.

Customer Service: After a data breach, customers have lots of questions, especially ones who are worried about identify theft and fraud. Your organization’s customer service department plays an important role in rebuilding your customers’ trust and ensuring that they understand what happened and how your organization is responding.  If your organization cannot handle the anticipated call volume, many organizations engage a call center and set up a dedicated hot-line that consumers can call to get information about the breach.  Websites have also proven to be useful, so that is another option to be considered. No matter what method used, you will need your customer service department to help you understand the best way to regain your customers trust.

For small organizations, it may not be possible to have different people serve these different functions, since there may not be a separate communications or a legal department. That doesn’t matter. The important point to recognize is that these roles are needed if a data breach occurs, and the business needs to identify who is going to fill them – even if it’s the same person!

Step 2: Establish Relationships with Breach Response Vendors and Law Enforcement

The second step is to establish relationships with breach response vendors, regulators and law enforcement before having a data breach.

With respect to regulators and law enforcement, reach out to the relevant Attorney Generals, Secret Service, FBI, and any other relevant regulator to introduce your business and discuss data privacy issues as soon as possible. It shows that your organization is serious about data protection and privacy and might earn your regulators’ trust and respect. You don’t want your first introduction to be when you report a data breach! A prior personal relationship may aid you when it comes time to report a data breach, and the regulators may be more inclined to offer advice, listen to your side of the story, and give you the benefit of the doubt about the steps you have taken.

With respect to vendors,  several types of third-party vendors perform critical functions and are needed during a data breach.  The most relevant to investigate provide the following services: Computer forensics, public relations, notification activities, consumer remedies (credit monitoring and identity theft), call centers, and legal services.

By contacting vendors before a breach occurs, you can explore the different options available and determine the best option for your organization. It is much more difficult to assess options while in the middle of a crisis, and you are more likely to purchase services that you don’t need. Also, if you are reaching out to a vendor for the first time in the middle of crisis, you are much more likely to be charged a higher rate for emergency services. By preparing in advance, you can negotiate on price and services and get the best available deal.

Step 3: Cyber-Liability Insurance

As part of your incident response plan, consider whether your organization needs cyber-liability insurance. Effective May 1, 2014, the Insurance Services Office (ISO) revised its Commercial General Liability (CGL) Policy form to exclude losses associated with a data breach.  See Insurance Journal, ISO Comments on CGL Endorsements for Data Breach Liability Exclusions, July 18, 2014.  Since the vast majority of U.S. CGL polices are partially or completely written on ISO’s standard form, your organization’s future CGL policies will likely exclude data breaches, if they don’t already.

To correct this insurance gap, consider purchasing cyber-liability insurance, which provides coverage two categories: first-party or third-party losses. First-party losses are the expenses incurred as a direct result of responding to the breach, such as computer forensics, public relations, notification costs, and others. Third-party losses are the losses incurred from claims for damage brought by customers, consumers, and others. Depending on your organization’s needs, it may be wise to purchase insurance for one or both types of losses. Given the exorbitant costs of a data breach, it may be well worth it.

Step 4: Determine Breach Notification Requirements

Organizations should be familiar with the data breach notification requirements that govern their company in the event of a data breach. These requirements come from two sources: contracts with third parties and the states where you conduct business and/or have customers.
Nearly all of the states (47 states plus the District of Columbia, Puerto Rico, and the Virgin Islands) have passed some form of a data breach notification law. These laws contain the following general categories of information:

•  The definition of “personal information” identifying specific data elements that trigger reporting requirements;
•  The definition of what entities are covered;
•  The definition of a “security breach” or “breach” of a security of a system”
•  The level of harm requiring notification;
•  Whom to notify;
•  When to notify;
•  What to include in the notification letter;
•  How to notify
•  Exceptions that may exist to the obligation to notify (or when notification may be delayed);
•  Penalties and rights of action.

Although all breach notification laws contain the same general categories of information, the details often differ drastically and you need to know what specific states apply to your organization and what is required by the state’s breach notification law. For example, Massachusetts differs substantially from many other states about who needs to be notified and the content of the data breach notification letter. See M.G.L. c. 93H. Consult with an attorney and/or a data breach notification vendor to help you assess your current situation and determine what breach notification statutes are applicable.

After determining the requirements from the relevant breach notification statutes and contracts, create a chart or spreadsheet that identifies the critical details for each state, when these requirements are triggered, and the steps that need to be taken in the event of a data breach. This chart will become part of your incident response plan, so update it regularly so that it remains current. All of this may become moot if a national breach notification statute is ever passed, but I’m not going to hold my breath.

This completes the first four steps about how to prepare for a data breach and develop an incidence response plan.  Thanks for reading. Check back next week for Part II.

Basic Steps to Prevent Small Business Data Breach

Tags: , , , Data Breach, Prevention, Small Business 1 comment

It seems like every day in the news; another data breach is reported where millions of records are lost. In the past year alone, the following major data breaches occurred:

Target – Lost 40 million credit and debit cards, along with 70 million customer records, including name, address, email address and phone number.

Home Depot – 56 million debit and credit cards stolen and 53 million email addresses.

eBay – 145 million active users’ data at risk.

JP Morgan Chase – 76 million households and 7 million small businesses.

Community Health Systems – 4.5 million patients.

Goodwill/ C&K Systems– 868,000 cards at 300 stores.

Although large companies make the headlines and grab our attention, small businesses are also targets for cyber-attacks.  In 2013, Symantec reported that 31% of all targeted attacks were directed at businesses with less than 250 employees.  See Symantec 2013 Internet Security Threat Report.  This finding was echoed by a study conducted by the Ponemon Institute, which found that 55% of small businesses in the U.S. have had a data breach.

Despite this, a majority of small businesses do little to protect themselves from a cyber-attack or protect the sensitive information of their customers and employees.  This inattentiveness is extraordinarily risky.  The average cost for a data breach in 2014 is $201 per record and the probability of a business having a data breach over the next 2 years with more than 10,000 records is nearly 19%See Ponemon Institute, 2014 Cost of Data Breach Study, at 1-3.

These numbers should terrify every small business owner. But there are 7 cost-effective basic steps that a small business can take to decrease the likelihood of a data breach:

1) Identify:  The business should first identify all types of personal and confidential information (“Personal Information”) collected, possessed and used by the business.  Personal Information can include: names & addresses, financial account numbers, social security numbers, e-mail addresses, license numbers, health care information, video rental records, and anything else that can allow the business to identify a specific individual or company.

2) Locate:  Next, the business should determine where the Personal Information is located and stored and where it comes from. Locations can include workplace files, computers, mobile devices, websites, networks, and many other places.  Employees and owners should be questioned about all of the places where they store Personal Information, since they might have data on their home computers and personal mobile devices.

3) Evaluate Risks: The business should then identify and evaluate all potential risks to the security, confidentiality and integrity of the Personal Information in the business.  Risks come in all shapes and sizes and can include natural disasters, cyber-attacks, theft, use of mobile devices & laptops, negligent employees, accepting credit cards, and many, many others.

4) Implement safeguards: After evaluating the potential risks, the business needs to implement reasonable safeguards to mitigate these risks. Safeguards come in three different forms: Physical, Administrative, & Technical.

Physical Safeguards: These are the physical protections, rules, and procedures a business takes to secure Personal Information from physical threats such as natural disasters and unauthorized intrusions. Depending on the business, these safeguards can include: Offsite secure storage, Locked doors and file cabinets, fences, security guards, cameras, passwords, ID cards and other authentication measures for computer/facility access, regular automated backups, and many other possible preventative measures that can be taken.

Administrative Safeguards: These are the management measures, policies, and procedures that an organization puts in place to protect Personal Information. These measures should include:

• Written Information security policy
• Incident response plan
• Internet usage policy
• Social media policy
• Mobile phone policy
• Bring your own device policy
• Specific limitations on employees’ access to information
• Rigorous protections and oversights in third-party vendor contracts
• Employee background checks
• Employment contracts with confidentiality clauses and restrictive covenants, and
• Others depending on the nature of the business.

Technical Safeguards: These are technological measures implemented by an organization to manage and protect Personal Information. These measures should include:

• Keeping hardware, operating system software and apps up to date;
• Using and updating antivirus and antispyware on all computers and devices;
• Using firewalls and virtual private networks to secure sensitive information; and
• Requiring strong passwords with quarterly changes.

Depending on the size and complexity of the organization, and the size of the information security budget, there are many more advanced protections that can be implemented. But the foregoing is the bare minimum that should be done by every business to help protect the organization.

5) Train Employees:  This point cannot be emphasized enough.  Businesses should regularly train employees on the proper way to collect, use and store personal information.  Employees also need to be trained about the nature of today’s cyber-attacks and the best way to protect themselves and the organization.  Cyber-attacks usually begin when an individual opens a “phishing” email message with an attachment that contains malware that infiltrates your network. To stop this, a business should employ a spam filter that will try to catch phishing e-mails and other junk.  But even the best spam filters are not always successful. Employees need to be vigilant and trained not to open anything that seems even remotely unusual.  One isolated training session is not enough, and a business should regularly hold training sessions to emphasize the importance of privacy and information security.

6) Destroy:  Any personal information that is no longer being used by the business should be destroyed.  Paper documents and paper files should be shredded, pulverized, macerated, or burned.  If you hire a company to do this, make sure that the vendor has a good reputation, there are sufficient contractual protections to safeguard the data, and that you understand the vendor’s destruction and disposal practices.  Do not just throw your unshredded sensitive paper documents in the dumpster near your business.

Computers and other electronic storage devices and the information stored on them are a little more difficult to destroy. Merely deleting the information is not enough, and steps need to be taken to overwrite or physically destroy the electronic device and computer. Different electronic devices need to be wiped clean in different ways. If you want to do it yourself, there is plenty of information on the internet about this process.  See, e.g. https://www.us-cert.gov/security-publications/Disposing-Devices-Safely; http://it.med.miami.edu/x677.xml; https://www.privacyrights.org/personal-data-retention-and-destruction-plan#destruction.  If you want to hire a vendor, make sure that they have a good reputation, there are sufficient contractual protections to safeguard the privacy of the data, and that you understand how the device is going to be wiped or destroyed.

7) Monitor and Repeat: After completing the prior steps, you should continuously monitor your systems, networks, and business to make sure that the safeguards are working.  If the there are problems, or your business needs change, you may need to revise or implement the security practices that were put in place.  This is an ongoing process and cyber-threats are continuously evolving.  You need to be vigilant in order to have the best chance of preventing a data breach.

Following these steps will not guarantee that your small business won’t have a data breach.  But they are cost-effective and should decrease the likelihood of a data breach.  Your business will also be in a better position to determine whether more expensive protections are needed.

Thanks for reading! I would love to hear if you have other suggestions or there is something else your business is doing to protect itself from a data breach.

Understanding Privacy

Tags: , , , , , , , Definition, Uncategorized 2 comments

Since I am writing a blog about privacy, it seems only natural that I explain what I mean by the word “privacy.” Unfortunately, this is easier said than done and scholars have struggled with an appropriate definition for many years. But, the essential idea was stated succinctly by Louis Brandeis and Samuel Warren when they defined “privacy” as “the right to be left alone.” See Samuel Warren and Louis D. Brandeis, “The Right to Privacy,” Harvard Law Review 4 (1890).

This definition seems correct, but is woefully vague and cries out for further explanation. Unfortunately, any attempt to clarify becomes immensely complicated and messy. Two questions in particular complicate the issue:

1.  Who do we want to leave us alone?

2.  In what ways do we want to be left alone?

Let’s take a look at each question and see why the issue is so complicated.

Entities We Want to Leave Us Alone

The initial response to (1) may be: “We have the right and want to be left alone by everyone!” This may be true. Anyone can decide to throw everything away, move into the woods, and live like a hermit and avoid society. If you move far enough away and are willing to forego enough amenities, you can avoid the bank you owe a mortgage to, your spouse and children who you now owe alimony and child support, your student loan payments, and the IRS. After all, Ted Kaczynski, the Unabomber, and Whitey Bulger —the infamous gangster— were able to avoid detection for many years.

Few of us, however, actually want to go this far (although sometimes — I admit — it seems attractive when staring at my mortgage payment and dealing with my eight year old daughter!!).  However, we still want to be left alone at various times in life. With respect to privacy concerns, it is helpful to think in terms of four broad categories of entities:

1.  The Government

2.  Other Individuals in Society

3.  Companies

4.  Employers

Each category can probably be broken down further, but they serve as a good starting point to start thinking about privacy. Most of us have different privacy interests with respect to each category and want different protections with respect to the different entities.

For example, in U.S. v. Jones, 133 S. Ct. 945 (2012), the Supreme Court found that the police could not track a suspect with a GPS device placed on his car without obtaining a search warrant. The Court found that the government’s use of the GPS device violated the Fourth Amendment, which provides that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.”

Fourth Amendment protection is completely irrelevant with respect to companies, such as Google and Apple, who regularly track the location and movement of their customers. See Julia Angwin & Jennifer Valentin-Devries, Apple, Google Collect User Data, Wall St. J. April 22, 2011. These companies rely on consumers’ consent to track their location, which is cheerfully given in order to use these amazing devices and services. For most, it seems like a small price to pay.

Similarly, many people are willing to share intimate aspects of their lives with friends and connections on Facebook, Linked-in, and other social media. We do this under the supposed protections of the companies’ privacy policies and terms of service, although few of us read or understand the details of these policies. It only becomes a problem when something is unwittingly shared with the wrong group of people, such as the poor kids who revealed their homosexuality to their parents through Facebook.  See Geoffrey A. Fowler, When the Most Personal Secrets Get Outed on Facebook, Wall. St. J, Oct. 13, 2012.

Conversely, most people are wisely unwilling to share this information with potential employers, even though employers ask for social media usernames and passwords. Many states now prohibit, or are in the process of prohibiting, employers from asking for social media login credentials. See National Conference of State Legislators, Employer Access to Social Media Passwords Legislation.
 
This blog will explore the different ways that we want to be left alone with respect to the government, companies, other individuals, and employers. I will evaluate these differences, make comparisons about the different methods of protecting our right to be left alone, and make recommendations about ways to improve our protections.

Ways to Be Left Alone

My second question also complicates matters: In what ways do we have the right to be left alone? Scholars have struggled to identify the types of activities that can be considered privacy violations. William Prosser, the famous torts scholar, identified four types of harmful activities considered common-law privacy torts:

1.  Intrusion upon a plaintiff’s seclusion or solitude or into his private affairs.

2.  Public disclosure of embarrassing private facts about the plaintiff.

3.  Publicity which places the plaintiff in a false light in the public eye.

4.  Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness.

See William L. Prosser, Privacy, 48 Cal. L. Rev. 383, 389 (1960).  See also Restatement of the Law, Second, Torts, § 652 (identifying privacy torts). More contemporary scholars criticize Prosser’s focus on torts and attempt to identify a wider array of privacy harms that better reflect modern society. See, e.g., Daniel J. Solove, Taxonomy of Privacy, 154 U. Pa. L. Rev. 477 (2006) (identifying taxonomy of privacy harms).

I will not get bogged down in these disputes, but will focus on three areas of our lives:

•  Personal Information

•  Location/Territory

•  Communications

Personal Information

Personal information is any piece of information about a living identifiable human being. This information includes: financial information, social security numbers, medical information, education records, friends/associations, reading habits, pictures, and many, many other intimate aspects of our lives.

Most of us want to keep much of this personal information secret and maintain control over who accesses this type of information. Invasions and intrusions of personal information occur in the following situations: monitoring, unauthorized accessing, data breaches, unwanted disclosure, inaccurate information, deanonymization and identification, identity theft, misuse of information, and other types.

Despite our desire to maintain control over personal information, most of us are willing to allow companies, the government, and other people to have access to some parts of our personal information. Usually, we allow access for the sake of convenience, entertainment, or to maintain personal relationships. In this blog, I will explore the situations when we are willing to grant access to our personal information, the types of protection in place to maintain our control, the adequacy of these protections, and how to improve them.

Location/Territory

Location/Territory refers to our physical space, location and environment. Most people want to ensure that others do not intrude in our physical space and environment without our consent. Invasions and intrusions take the form of video surveillance, tracking, trespassing, photography, unlawful searches, and others.

Although we do not want our physical space invaded or to be tracked without our consent, consent is often freely given to companies when they ask. I am constantly bombarded with requests from my smart-phone about apps that want to access my location. I usually let them, even though it’s often unclear why the app wants my location. In this blog, I will explore the tensions in our thoughts about location privacy, and explore our willingness to share our location with companies while we are unwilling to share it with the government, other individuals, or our employer.

Communications

Communications refers to the exchange of information through writing, speaking, typing or any other method of exchanging information. This includes, but is not limited to, the following forms of communication: postal mail, telephone conversations, email, in-person communications, and many others. Most of us want to keep our communications private and do not want to share them with unintended recipients. Invasions or intrusions take the form of monitoring, recording, unauthorized access, inadvertent disclosure, wiretapping, and others.

Although we want our communications to be kept private, most of us regularly use one of the most unsecure forms of communications: e-mail. Employees are constantly warned not to use their employers’ computers for private communications, but constantly ignore these warnings and these communications are accessible to the employer. Furthermore, Edward Snowden revealed widespread collection by the NSA of Americans’ phone records and monitoring of the internet, but these revelations have not lead to widespread reforms and most people continue to use email without encrypting their messages.  See Andrea Peterson, A year after Snowden’s revelations, government surveillance reforms’ a work in progress, Wash. Post. June 5, 2014.

In this blog, I will also explore our thoughts about communication privacy, including the steps that we are willing to take to protect the privacy of our communications, and how to counterbalance this with other interests such as security, convenience, accessibility, and others.

In short, there is a lot to talk about. Thanks for taking the time to read this and I welcome your thoughts about privacy and anything discussed here.