Introduction
Businesses that operate across state lines must comply with multiple state consumer protection statutes. Often these statutes include prohibitions against “deceptive” and “unfair” trade practices. Attorneys general at the state level have interpreted consumer protection statutes to provide de facto data security requirements for businesses to follow when collecting and storing the personal data of consumers. In the case of a data breach, attorneys general may bring an enforcement action against companies for violating consumer protection laws by failing to secure consumer data.
While several states have codified specific data security standards for companies to safeguard consumer data, most states do not have specific security standards and instead rely on the authority of the attorney general’s office to prosecute companies for deceptive or unfair trade practices. For instance, a company that fails to live up to the data security guarantees it makes to a consumer in its privacy policy can be deemed to be engaged in a “deceptive” trade practice. Even when there is no express guarantee of data security, authorities may consider a company’s lax data security measures surrounding personal data to be an “unfair” trade practice.
Recently, states have joined efforts in pursuing companies for data breaches that affect consumers in multiple states. In the past two years, attorney general offices have entered into multistate data breach settlements (referred to collectively as “assurances of voluntary compliance”) with the dating website Ashley Madison, Nationwide Insurance, Target Corporation, and Adobe. In each settlement, the company agreed to implement and maintain an information security program with specific data protection safeguards. In the absence of uniform state or federal laws mandating data security measures, the settlements are the best indicator of what state authorities expect from a company vis a vis its data protection measures.
Information security programs
One element present in each settlement was the requirement to implement a comprehensive information security program. An ISP is the set of policies, procedures and personnel dedicated to keeping sensitive data from being mishandled or breached. The ISP typically involves three prongs: assessing risks, mitigating risks, and updating the program. The ISPs required in the four data breach settlements included the following elements:
- Create and implement a written information security program.
- Designate employees responsible for administering the information security program.
- Assess service providers based on their capability to safeguard information.
- Enter into contracts with service providers that require them to implement and maintain appropriate safeguards.
- Implement policies and procedures for auditing service provider compliance with safeguards.
- Maintain and support software, including resources to address software patches and end of life software issues.
- Maintain encryption protocols and policies for personal information stored in the Cardholder Data Environment.
- Encrypt personal information stored on laptops or other portable devices or transmitted wirelessly or across public networks.
- Comply with Payment Card Industry DSS standards with respect to the Cardholder Data Environment.
- Perform ongoing risk assessments of the network and software design, including information processing, storage, transmission and disposal.
- Train employees annually in compliance with the information security program.
Security patches
Software is the lifeblood of modern business. From processing payroll information to tracking inventory, the software enables a business to standardize and speed up processes while reducing the risk of human error. Yet software poses one of the largest data security risks to a business network. Hackers can gain access to a computer network by exploiting flaws, often called holes or vulnerabilities, in a software program. Such holes allow hackers to enter a computer network and steal information or hold data for ransom.
One recent example of such an exploitation was the WannaCry ransomware, which exploited a hole in Microsoft’s operating system. Once WannaCry’s ransomware entered a network, it issued a demand to the Microsoft system that froze its ability to operate. Similarly, the data breach involving Nationwide insurance involved hackers gaining access to the business network through a vulnerability in software.
Once a vulnerability is discovered, software engineers can fix it by creating an update to the existing software called a "patch." Patches are applied by updating existing software or downloading new software. In the Nationwide breach, the attorneys general went to great length to spell out a software patch policy for Nationwide to implement. Key elements of the patch policy include:
- Appoint personnel to oversee security and software updates, application of security patches and patch management tools.
- Inventory software systems, including a list of updates, patches applied or installed.
- Assign a priority level and schedule for software updates.
- Regularly review and update the Incident Management Policy and Procedures by which the organization commences and manages its response and review of network security incidents.
- Implement a system management tool to scan for known common vulnerabilities or exposures (CVEs) in vendor software and identify systems that may have CVEs.
- Install an automatic CVEs feed from a solution provider to its intrusion detection and protection system.
- Conduct a semiannual patch assessment to determine whether CVEs patches were applied.
- Hire an outside, independent provider to audit the security patch program.
Network segmentation
The process of separating sensitive information from other nonsensitive information, through security controls, is called segmentation. Segmentation operates similarly to compartmentation within a ship’s hull: Parts that are nonsensitive must be cordoned off during a breach and kept from infiltrating the other, more sensitive areas. For a business that keeps credit card data in its network, segmenting this part of the network, referred to as the Cardholder Data Environment, is key to preventing a hacker from accessing credit card data.
In December 2013, Target Corporation discovered a data breach that exposed 40 million customer debit and credit card accounts. Target hired Verizon to conduct an investigation, which concluded that once a user had access to Target’s central network, it was able to access the Cardholder Data Environment. In one instance, Verizon was able to hack into a deli meat scale in one store and access cardholder information from the point of sale machine in another store.
The root of Target’s breach, however, occurred when its HVAC maintenance company, Fazio Mechanical, was breached by a piece of email malware earlier that year. During that breach, hackers were able to steal the virtual private network credentials Fazio used to remotely access Target’s network. Once the hackers were in the network, they spread malicious software to point of sale machines in over 1,800 stores.
In its settlement, Target agreed to pay $18.5 million to 47 state attorneys general for failing to safeguard customer credit card data. In addition to many of the requirements listed above concerning third-party risk assessments, the settlement included specific provisions concerning segmenting the Cardholder Data Environment.
- Scan and map the connections between the Cardholder Data Environment and other parts of the network to identify penetration vulnerabilities.
- Segment the Cardholder Data Environment from other parts of the network through security controls.
- Segregate payment card information from parts of the network that are accessible by public-facing servers.
- Develop and implement a risk-based penetration testing program.
- Maintain the separation of development and production environments.
Network access control
Preventing a data breach starts with keeping bad actors out of the network. Network access control involves establishing a server to authenticate and authorize user functions by first verifying login information. After a user is verified, the network access control program can restrict a user’s access and run anti-threat applications, like anti-virus software and firewalls.
- Implement and maintain controls to manage access to and the use of its service accounts and vendor accounts, including strong password requirements and password-rotation policies.
- Evaluate and if necessary restrict or disable all unnecessary network programs that provide access to the Cardholder Data Environment or any environment that could reasonably impact the security of the Cardholder Data Environment.
- Adopt a reasonable and risk-based approach to integrate two-factor authentication into individual accounts
- Maintain a process that will create an alert if exfiltration reporting sources are not operating properly
- Logging and monitoring: Implement reasonable controls to manage the access of any device attempting to connect to the Cardholder Data Environment through firewalls, authentication credentials, or other mechanisms. Maintain a system to collect logs and monitor network activity.
- Adopt improved, industry-accepted payment card security tech, like chip and PIN.
- Devalue payment card information by encrypting it throughout the course of the transaction.
File integrity monitoring
File integrity monitoring acts as an alarm system for computer networks. Once hackers break into a network, they spread malicious code that will alter a network’s composition. File integrity monitoring first involves establishing a baseline for what a network’s composition will look like absent any unauthorized code. A file integrity monitoring program will then detect changes to the network and assess whether those changes were authorized.
- Establish a system to notify personnel of unauthorized modifications to critical applications or operating systems within the Cardholder Data Environment.
- Implement “whitelisting” procedures to detect or prevent the execution of unauthorized applications within point of sale terminals and servers.
- Develop and maintain “change control policies” that manage and document changes to a network’s system.
Conclusion
Data breaches threaten every company that collects sensitive personal data. In the absence of state and federal laws that establish data security practices for businesses, state attorneys general have, in effect, developed a set of data security standards through multistate data breach settlements. Data privacy and information security professionals would be prudent to take stock of these standards and make the necessary changes to protect personal data.
photo credit: Visual Content Legal Gavel & Open Law Book via photopin (license)